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[57] ABSTRACT 

In a security level control apparatus for controlling a secu- 
rity level of a communication established between commu- 
nication parties, this security level control apparatus is 
arranged by employing a security level recognizing unit and 
a security level setting unit. The security level recognizing 
unit recognizes a security level notified from a communi- 
cation party. The security level settiag unit sets the security 
level recognized by the security level recognizing unit as a 
security level for the security level control apparatus. In 
accordance with this security level control apparatus, the 
security level of the communication party recognized by the 
security level recognizing unit is first set as the security level 
for the security level control apparatus. As a result, the 
communication can be established between the communi- 
cation parties without presetting the security level. 
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SECURITY LEVEL CONTROL APPARATUS 

AND METHOD FOR A NETWORK 
SECURING COMMUNICATIONS BETWEEN 
PARTIES WITHOUT PRESETTING THE 
SECURITY LEVEL 

BACKGROUND OF THE INVENTION 

The present inventioD relates to a security level control 
apparatus, and more specifically, to a security level control 
apparatus for controlling security levels of communications 
established between communication parties. 

Also, the present invention relates to a network commu- 
nication system, and in particular, to a network communi- 
cation system constituted by a server apparatus and a client 
apparatus, which perform communications, the security lev- 
els of which are set. 

Network services through which electronic mails are 
provided are commercially available by mutually connect- 
ing computers installed in a distribution manner. 

However, in network systems configured for academic 
purposes, typically known as the Internet, proper care is not 
taken to network securily matters. Accordingly, these net- 
work services involve various problems, for instance 
wiretapping, falsification, and impersonation. 

Now, a description will be made of these wiretapping, 
falsification, and impersonation with respect to electronic 
mails. 

The terra "wiretapping" implies that a plain text, i.e., a 
correspondence message not yet encrypted is read during 
message transmission. 

The term "falsification" implies that a content of an 
electronic mail is modified. This falsification is performed in 
relaying nodes when an electronic mail is delivered via a 
plurality of relaying nodes. 

The term "impersonation" implies that when no protec- 
tion is established with respect to information for specifying 
a mail sender, a third party (bearing oflEcnsc) falsifies the 
information for specifying the third party to pose as an 
impersonator. 

To solve these network problems, at least one of the 
following solutions is carried out as follows. For instance, a 
message (data) is encrypted, an electronic signature 
(Message Integrity Check) is used to prevent falsification, 
and a user (communication party) is authenticated. In such 
a network communication system realized in a server/client 
manner, the server apparatus is authenticated and/or the 
client apparatus is authenticated. 

As to encryption techniques, the secret key cryptosystem, 
the public key cryptosystem, and the like are known. In the 
secret key cryptosystem, the encrypting operation and the 
decrypting operation are carried out by using the common 
key between the communicatioo parties. On the other hand, 
in the public key encrypting system, the key system is 
constituted by combining the secret keys for the individual 
users with the public keys, and the public keys are opened 
to the third party, whereas the secret keys are disclosed only 
to the individual users. In this public key cryptosystem, a 
message which has been encrypted by the public key can be 
solved by the secret key. For instance, when a message is 
transmitted from "A" to "B", "A" encrypts this message by 
\ising the public key of '*B", and then "B" who has received 
the encrypted message can decrypt this encrypted message 
by using the own secret key. The person who can decrypt 
this encrypted message is only "B" who knows the own 
secret key. 
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As to the authentication techniques, the password authen- 
tication and the electronic signature with employment of the 
public key cryptosystem are known. 

In the above -described conventional network techniques, 
5 a plurality of security levels are produced when certain 
process operations are combined with each other in order to 
avoid the problems such as wiretapping, falsification, and 
impersonation with respect to the network services. 

For instance, it is conceivable that a resultani security 
level becomes high when electronic mail is encrypted and at 
the same lime a user of this electronic mail is authenticated, 
rather than only the encryption of this electronic maO. When 
only the security should be emphasized, it is best to combine 
a large number of processing operations with each other. 
However, in this case, the resultant workloads would be 
increased. 

Under such a circumstance, it is a proper solution to set 
the security level to which importance of a communication 
content is reflected. Proper setting of a security level based 
on importance of a message is called a "policy of security". 

With respect to this "policy of security", the below- 
mentioned problems occur in the above-described conven- 
tional techniques. 
25 That is, as to the first problem, the communication is 
performed between the communication parties in accor- 
dance with only a predetermined security policy, but caimot 
be carried out in accordance with other securily policies. 

As to the second problem, the security level of the 
30 communication party (communication destination) is con- 
tinuously introduced with a top priority, so that the security 
level cannot be determined. 

The present invention has been made to solve the above- 
described problems, and therefore, has a first object to 
35 provide a security level control apparatus and a network 
communication system, capable of executing a communi- 
cation between communication parties, while a security 
level is not previously determined. 

Also, a second object of the present invention is to 
provide a security level control apparatus and a network 
communication system, capable of executing a communi- 
cation while determining the own security level. 

SUMMARY OF THE INVENTION ' 

45 To achieve the above-described objects, a security level 
control apparatus of the present invention is featured as 
follows. In a security level control apparatus for controlling 
a security level of a communication established between 
communication parties, this security level control apparatus 

50 is arranged by employing a security level recognizing unit 
and a security level setting unit. 

The security level recognizing unit recognizes a securily 
level notified from a communication party. 

The security level setting unit sets the security level 
recognized by the security level recognizing unit as a 
security level for the securily level control apparatus. In 
accordance with this security level control apparatus, the 
security level of the communication party recognized by the 
security level recognizing unit is first set as the security level 

^0 for the security level control apparatus. As a result, the 
communication can be established between the conununi- 
cation parties without presetting the security level. 

BRIEF DESCRIPTION OF THE DRAWINGS 

65 A more complete imderstanding of the teachings of the 
present invention may be acquired by referring to the 
accompanying drawings, in which: 
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FIG. 1 is a block diagram for schematically showing a 
basic idea of a first security level control apparatus accord- 
ing to the present invention; 

FIG. 2 is a block diagram for schematically showing a 
basic idea of a second security level control apparatus 
according to the present inveniioa; 

FIG. 3 is a block diagram for schematically indicating a 
basic idea of a first network communication system accord- 
ing to the present invention; 

FIG. 4 is a block diagram for schematically indicating a 
basic idea of a second network communication system 
according to the present invention; 

FIG. 5 is a block diagram for schematically indicating a 
basic idea of a ninth network communication system accord- 
ing to the present invention; 

FIG. 6 schematically represents an arrangement of a 
system according to an embodiment of the present inven- 
tion; 

FIG. 7 is a schematic block diagram for showing an 
arrangement of the security level control apparatus of the 
embodiment; 

FIG. 8 shows a security level conversion table unit 
included by the security level control apparattis of the 
embodiment; 

FIG. 9 schematically represents a first sequential process 
operation executed between the client apparatus and the 
server apparatus according to the embodiment; 

FIG. 10 schematically represents a second sequential 
process operation executed between the client apparatus and 
the server apparatus according to the embodiment; 

FIG. 11 schematically indicates a sequential process 
operation executed in the respective security levels of the 
embodiment; 

FTG. 12 is a flow chart for indicating a first process 
operation according to the embodiment; and 

FIG. 13 is a flow chart for indicating a second process 
operation according to the embodiment. 

DESCRIPTION OF THE PREFERRED 
EMBODIMENT 

First Security Level Control Apparatus 10 

To solve the above-described first problem, a first security 
level control apparatus 10 of the present invention is 
arranged as follows (corresponding to claim 1). FIG. 1 is a 
schematic block diagram for showing a basic idea of the 
security level control apparatus 10 according to the present 
invention. 

That is, the security level control apparatus 10 for con- 
trolhng a security level of a communication executed 
between communication parties is arranged by a security 
level recognizing unit 11 and a security level setting unit 14. 
(Security Level Recognizing Unit 11) 

The security level recognizing apparatus 11 may recog- 
nize a security level notified from communication destina- 
tion (communication parly). 
(Security Level Setting Unit 14) 

The security level setting unit 14 may set the security 
level recognized by the security level recognizing unit 11 as 
a security level for the security level control apparatus 10. 

In accordance with the first security level control appa- 
ratus 10 of the present invention, the following operations 
are carried out. First, the security level of the communica- 
tion party recognized by the security level recognizing unit 
11 is set as the security level for the security level control 
apparatus 10. 
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Second Security Level Control Apparatus 10 

To solve the above-described second problem, a second 
security level control apparatus 10 of the present invention 
^ is arranged as follows (corresponding to claim 2). FIG. 1 is 
a schematic block diagram for showing a basic idea of the 
security level control apparatus 10 according to the present 
invention. 

That is, the security level control apparatus 10 for con- 

jQ trolling a security level of a communication executed 
between communication parties is arranged by a security 
level recognizing unit 11, a security level converting table 
unit 12, a security level reading tmit 13, and a security level 
setting unit 14. 

J 5 (Security Level Recognizing Unit U) 

The security level recognizing apparatus 11 may recog- 
nize a security level notified from commimication destina- 
tion (communication party), 
(Security Level Converting Table Unit 12) 

20 The sectu^ity level converting table unit 12 may store a 
relationship between an index made of two sets of security 
levels, and a security level of an actual communication. 
(Security Level Reading Unit 13) 

The security level reading unit 13 may read from the 

25 security level converting table unit 12, a security level 
corresponding to such an index. This index is defined by the 
security level of the communication party recognized by the 
security level recognizing unit 11, and the sccm*ity level for 
the security level control apparatus 10. 

3Q (Security Level Setting Unit 14) 

The security level setting unit 14 may set the security 
level recognized by the security level recognizing unit 11 as 
the security level for the security level control apparatus 10. 
In accordance with the second security level control 

35 apparatus 10 of the present invention, the following opera- 
tions are carried out. First, both the security level of the 
communication party recognized by the security level rec- 
ognizing unit 11 and the security level for the security level 
control apparatus 10 arc set as the index. Then, the security 
level corresponding to this index is read from the security 
level converting table unit 12. Thus, this read security level 
is set as the security level for the security level apparatus 10. 

First Network Communication System 

45 A first network communication system of the present 
invention is arranged by the below-mentioned arrangement 
so as to solve the above-described first problem 
(corresponding to claim 3). FIG. 3 is a schematic block 
diagram for indicating a basic idea corresponding to the first 

50 network communication system of the present invention. 
That is, in a network communication system provided 
with a server apparatus 20 and a client apparatus 30, which 
perform a commimication whose security level is set, the 
client apparatus 30 includes a security level control appa- 

55 ratus 10. Then, this security level control apparatus 10 is 
constructed of a security level recognizing unit 11 and a 
security level setting unit 14. 
(Security Level Recognizing Unit 11) 

The security level recognizing unit 11 may recognize a 

60 security level notified from a communication party 
(communication destination). 
(Security Level Setting Unit 14) 

The security level setting unit 14 may set the security 
level recognized by the security level recognizing unit 11 as 

65 a security level for the client apparatus 30. 

In accordance with the first network communication sys- 
tem of the present invention, the following operations are 
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carried out on ihe side of the client apparatus 30. First, the 
security level of the server apparatus 20 recognized by the 
security level recognizing unit 11 is set as the security level 
for the client apparatus 30. 

Second Network Communication System 

A second network communication system of the present 
invention is arranged by the below-mentioned arrangement 
so as to solve the above-described first problem 
(corresponding to claim 4). FIG. 4 is a schematic block 
diagram for indicating a basic idea corresponding to the 
second network communication system of the present inven- 
tion. 

That is, in a network communication system provided 
with a server apparatus 20 and a client apparatus 30, which 
perform a communication whose security level is set, the 
server apparatus 20 includes a security level control appa- 
ratus 10. Then, this security level control apparatus 10 is 
constructed of a security level recognizing unit 11 and a 
security level setting unit 14. 
(Security Level Recognizing Unit 11) 

The security level recognizing unit 11 may recognize a 
security level notified from a communication party 
(communication destination). 
(Security Level Setting Unit 14) 

The security level setting unit 14 may set the security 
level recognized by the security level recognizing unit 11 as 
a security level for the server apparatus 20, 

In accordance with the second network communication 
system of the present invention, the following operations are 
carried out on the side of the server apparatus 20. First, the 
security level of the cUent apparatus 30 recognized by the 
security level recognizing unit 11 is set as the security level 
for the server apparatus 20. 

Third Network Communication System 

A third network communication system of the present 
invention is arranged by the below-mentioned arrangement 
so as to solve the above-described first problem 
(corresponding to claim 5). 

That is, in the first network communication system, a 
plurality of the server apparatus 20 are employed. 

Then, the security level control apparatus 10 provided 
with the client apparatus 30 may control the security level 
with respect to each of the server apparatus 20. 

In accordance with the third network communication 
system of the present invention, the following operations are 
carried out. That is, the security levels are controlled by the 
server apparatus 20. 

Fourth Network Communication System 

A fourth network communication system of the present 
invention is arranged by the below-mentioned arrangement 
so as to solve the above-described first problem 
(corresponding to claim 6). That is, in the second network 
communication system, a plurality of the above-described 
client apparamses 30 are employed. Then, the security level 
control apparatus 10 employed in the server apparatus 20 
may control the security levels with respect to each of the 
client apparatuses 30. 

According to the fourth network communication system, 
the following operation is performed. That is, the security 
level is controlled with respect to each of the client appa- 
ratuses 30. 

Fifth Network Communication System 

A fifth network communication system of the present 
invention is arranged by the below-mentioned arrangement 
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so as to solve the above -described second problem 
(corresponding to claim 7). 

That is, in either the first or third network communication 
system, the security level control apparatus 10 owned by the 
5 client apparatus 30 includes a security level converting table 
unit 12 and a security level reading tmit 13. 

The security level converting table unit 12 stores a 
relationship between an index constructed of two sets of 
security levels and an actual communication security level. 

Hie security level reading unit 13 reads from the security 
level converting table unit 12, a security level corresponding 
to such an index that is constructed of a security level of a 
communication parly recognized by the security level rec- 
ognizing unit 11, and the security level for the client 
apparatus 30. 

Then, the security level setting unit 14 sets the security 
level read from the security level reading unit 13 as the 
security level for the client apparatus 30. 

20 In accordance with the fifth network communication 
system of the present invention, the following operations arc 
carried out. First, the security level of the server apparatus 
20 recognized by the security level recognizing unit 11, and 
the security level for the cUent apparatus 30 are used as the 

25 index. Then, the security level corresponding to this index is 
read from the security level converting table unit 12, This 
read security level is set as a security level for the cfient 
apparatus 30. 

3Q Sixth Network Communication System 

A sixth network communication system of the present 
invention is arranged by the below-mentioned arrangement 
so as to solve the above-described second problem 
(corresponding to claim 8). 

That is, in either the second or fourth network commu- 
nication system, the security level control apparatus 10 
owned by the server apparatus 20 includes a security level 
converting table unit 12 and a security level reading unit 13. 

The security level converting table unit 12 stores a 
^° relationship between an index constructed of two sets of 
security levels and an actual communication security level. 

The security level reading unit 13 reads from the security 
level converting table unit 12, a security level corresponding 
to such an index that is constructed of a security level of the 
client apparatus 30 recognized by the security level recog- 
nizing unit 11 and the security level for the server apparatus 
20. 

Then, the security level setting unit 14 sets the security 
50 level read from the security level reading unit 13 as the 
.security level for the server apparatus 20, In accordance with 
the sixth network communication system of the present 
invention, the following operations are carried out. First, the 
security level of the client apparatus 30 recognized by the 
55 secixrity level recognizing tmit 11, and the sectirity level for 
the server apparatus 20 are used as the index. Then, the 
security level corresponding to this index is read from the 
security level converting table unit 12. This read security 
level is set as a security level for the server apparatus 20. 

Seventh Network Communication System 

A seventh network communication system of the present 
invention is arranged by the below-mentioned arrangement 
so as to solve the above-described second problem 
65 (corresponding to claim 9). 

Tliat is, in the fifth network communication system, the 
security level control apparatus 10 owned by the client 



11/12/2003, EAST version: 1.4.1 



5,935, 

7 

apparatus 30 may dynamically change the security level 
even during the communication in response to a request 
from the client apparatus 30. 

In accordance with the seventh network communication 
system of the present invention, the following operations are 5 
carried out. That is, the security levels are dynamically 
variable even during the communication. 

Eighth Network Communication System 

An eighth network communication system of the present lo 
invention is arranged by the below-mentioned arrangement 
so as to solve the above-described second problem 
(corresponding to claim 10). 

That is, in the sixth network commnnication system, the 
security level control apparatus owned by the server appa- 15 
ratus may dynamically change the security level even during 
the communication in response to a request from the server 
apparatus. 

In accordance with the eighth network communication 
system of the present invention, the following operations are 20 
carried out. That is, the security levels are dynamically 
variable even during the communication. 

Ninth Network Communication System 

A ninth network communication system of the present 25 
invention is arranged by the below-mentioned arrangement 
so as to solve the above-described second problem 
(corresponding to claim 11). FIG. 5 is a schematic block 
diagram for indicating a basic idea corresponding to the 
ninth network communication system of the present inven- 30 
tion. 

That is, in a network commimication system provided 
with the server apparatus 20 and the client apparatus 30, 
which perform a communication whose security level is set, 
the server apparatus 20 and the client apparatus 30 include 35 
security level control apparatuses 10. Then, this security 
level control apparatus 10 is constructed of a security level 
recognizing unit 11, a security level converting table unit 12, 
a security level reading unit 13, and a security level setting 
unit 14. 40 
(Security-Level Recognizing Unit 11) 

The security level recognizing imit 11 may recognize a 
security level notified from a conamunication party. 
(Security Level Converting Table Unit 12) 

The security level converting table unit 12 stores a 45 
relationship between an index constructed of two sets of 
security levels and an actual communication security level. 
(Security Level Reading Unit 13) 

The security level reading unit 13 reads from the security 
level converting table unit 12, a security level corresponding 50 
to such an index that is constructed of the security level of 
the communication party recognized by the security level 
recognizing unit 11 and the security level for the security 
level control apparatus 10, 

(Security Level Setting Unit 14) 55 

The security level setting unit 14 sets the security level 
read from the security level reading unit 13 as the security 
level for the security level control apparatus 10. 

In accordance with the ninth network communication 
system, the following operations are carried out. First, both 60 
the security level of the communication party recognized by 
the security level recognizing unit 11 and the security level 
for the security level control apparatus 10 are used as the 
index. Then, the security level corresponding to this index is 
read from the security level converting table unit 12. This 65 
read security level is set as the security level for the security 
level apparatus 10. 
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Tenth Network Communication System 

A tenth network communication system of the present 
invention is arranged by the below-mentioned arrangement 
so as to solve the above-described second problem 
(corresponding to claim 12). 

That is, in the ninth network commtmication system, the 
security level control apparatus 10 owned by the client 
apparatus 30 may dynamically change the security level 
even during the communication in response to a request 
from the client apparatus 30. 

Then, the security level control apparatus 10 owned by the 
server apparatus 20 may dynamically change the security 
level even during the communication in response to a 
request from the server apparatus 20. 

In accordance with the tenth network communication 
system of the present invention, the following operations are 
carried out. That is, the security levels are dynamically 
variable even during the cormnunication. 
(Embodiment Modes) 

Variotis embodiment modes of the present invention will 
now be described with reference to the drawings. 
(System Arrangement of Embodiment Mode) 

A system of an embodiment mode is arranged by employ- 
ing a server apparatus 20 (also, refenred to as a "server"), as 
shown in FIG. 6, a network 40 connected to this server 
apparatus, and a client apparatus 30 (also, referred to as a 
"client") connected to this network 40. 

In this system, a communication is established between 
the server apparatus 20 and the client apparatus 30. To 
prevent wiretapping, falsification, and impersonation in the 
communication, five stages of security levels can be set in 
accordance with, importance of commimication contents. 

It should be noted that although only one server apparatus 
20 is indicated in FTG. 6, a plurality of server apparatiLses 
may be employed. Similarly, although only one client appa- 
ratus 30 is shown in this drawing, a plurality of client 
apparatuses may be employed. 
(Security Level) 

When the communication starts, the server apparatus 20 
and the client apparatus 30 notify independently set security 
levels to the counter party. Therefore, the server apparatus 
20 and the client apparatus 30 communicate in accordance 
with security levels determined based upon the mutual 
security levels. 

As previously described, in accordance with this 
embodiment, the security levels may be set in the five stages. 
These five-staged security levels are set as follows: 

Security Level "1" — Neither encryption nor authentica- 
tion is performed. It is a so-called "normal communi- 
cation". 

Security Level "2" — Only encryption is carried out. 

Security level "3" — Both encryption and user authentica- 
tion are performed. 

Security level "4" — Both encryption and server authen- 
tication are carried out. 

It should be noted that this security level "4" is a 
security level equivalent to the security level "3". 
Security level "5" — Encryption, user authentication, and 

server authentication are carried out. 
It should also be noted that when a plurality of client 
apparatuses 30 are provided, the server apparatus 20 may 
communicate in response to the security levels indepen- 
dently set for the respective client apparatuses 30. 

It should be also noted that when a plurality of server 
apparatuses 20 are provided, the client apparatus 30 may 
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communicate in response to the security levels indepen- The security level control apparatus 10 is such an appa- 

dently set for the respective server apparatuses 20. ratus for negotiating the security level notified from the 

Then, as the security level, other items may be set as server apparatus 20 with the secmty level owned by the 

follows. That is, no encryption is carried out at the security client apparatus 30 when the communication is commenced, 

levels "2" to "5", and alternatively, the client is authenticated s (Arrangement of Security Level Control Apparatus 10) 

at the security levels "2" to "5". since the security level control apparatus 10 provided 

Furthermore, the expression "user authenticatron" server apparatus 20 is arranged simflar to the 

involves authentication with employment of a password, and security level control apparatus 10 employed in the chent 

authentication with employment of a pubhc key certifica- apparatus 30, the arrangement thereof wiU now be described 

Uon^ This embodiment mode d^cribcs the authenUcation ^^^^^^ discrimination, 

with employment of the pubbc key certificaUon. . . ^ r _ ^, . i i ♦ i h 

. r o A * \n\ As shown in FIG. 7, the secunty level control apparatus 

(Arrangement of Server y^paratus 20) . . j u i • * i •* i^ 

The server apparams 20 is arranged by employing a }^ constituted by employiag a control umt 16, a secun y 

communication control unit 21 connected to the network 40, 1^^^^ recogmzing unit 11, a secunty level converUng table 

a service processing unit 22 connected to this communica- 12, a secunty level setung unit 14, a security level 

uon control unit 21, a security level control apparatus 10 ^5 notifying umt 15, an encryption processmg unit 17, and an 

connected to this service processing unit 22, and a storage authentication processing unit 18. 

unit 23 connected to the service processing unit 22. The control unit 16 is connected to either the service 

The communication control unit 21 controls the commu- processing unit 22 (in case of server apparatus 20) or the 

nication established between the server apparatus 20 and the service processing unit 32 (in case of client apparatus 30), 

network 40. 20 and also connected to the security level recognizing unit 11, 

To accept various service requests issued from the server the security level converting table unit 12, the security level 

apparatus 20, the service processing unit 22 transmits/ reading unit 13, the security level setting unit 14, the security 

receives the data among the scc\u"ity level control apparatus level notifying unit 15, the encryption processing unit 17, 

10, the communication control unit 21, and the storage unit and the authentication processing unit 18. Then, the control 

23. 25 unit 16 controls data transmitting/receiving operations 

The storage unit 23 stores therein information concerning among these units, 

a user secret key (SKm: "m"* being subscript), a user The security level recognizing unit 11 recognizes the 

certification (CERTm: "m" being subscript), and a certifi- security level notified from the communication party, 

cation of an issuing station (CERTca: "ca" being subscript). The security level converting table unit 12 sets the index 

As this storage unit 23, for instance, a RAM (Random 30 of the server to 1 through 5, and also the index of the cUent 

Access Memory), a semiconductor memory device, a mag- to 1 through 5 in such a case that the security levels used in 

netic disk storage apparatus, a magnetic tape recording the network are set to five stages, i.e., 1 through 5, which all 

apparatus, an M/0 (Magneto-Optical) disk apparatus, and an the servers and all the clients can own in order that any of 

IC card are employed. these servers and clients can use this converting table. Then, 

The security level control apparatus 10 is an apparatus for 35 the security level concerning table unit 12 is arranged in 

controlling security of actually performed communications such a manner that any one of the 25 patterns in total can be 

based upon the security level notified from the client appa- obtained based upon the security levels requested by the 

ratus30andthesecuritylevelownedby the server apparatus respective servers and clients which actually perform the 

20 when the communication is commenced. An arrangement communications. 

of the security level control apparatus 10 will be explained 40 In FIG. 8, there is shown the security level converting 

subsequent to the description about the arrangement of the table imit 12 according to this embodiment. In the case of 

client apparatus 30. FIG. 8, assuming now that the security level of the cUent is 

(Arrangement of Client Apparatus 30) "2" and the security level of the server is "4", the security 

The client apparatus 30 is arranged by employing a level of the actual communication becomes "4". It should be 

communication control unit 31 connected to the network 40, 45 noted in this drawing that a portion indicated as "X" implies 

a service processing unit 32 connected to this communica- that no communication can be performed at the security 

tion control imit 31, a security level control apparatus 10 levels set by the server apparatus 20 and the client apparatus 

connected to this service processing unit 32, and a storage 30. In other words, this "X" portion corresponds to such a 

unit 33 connected to the service processing unit 32. case that the security levels cannot be controlled. 

The communication control unit 31 controls the commu- 50 As described above, the security level converting table 

nication established between the server apparatus 20 and the unit 12 according to this embodiment is arranged as the 

network 40. following table, considering that the information provided 

To accept various service requests issued from the chent by the server is important. That is, when the security level 

apparatus 30, the service processing unit 32 transmits/ requested by the server is higher than the security level 

receives the data among the security level control apparatus 55 requested by the client, the security level requested by the 

10, the communication control unit 31, and the storage unit server may have a priority. 

33. However, the structure of the security level converting 
The storage unit 33 stores therein information concerning table unit 12 is not limited to the above-described embodi- 
a server PubUc key (PKs: "s" being subscript), a server ment. Alternatively, for example, the security level convert- 
certificate (CERTs: "s" being subscript), a server secret key 60 ing table unit 12 may be arranged by that only a security 
(SKs: "s" being subscript), and a certificate of a Certification level which can be required by an own apparatus is set as a 
Authority (CERTca: "ca" being subscript). At this storage first index, and all of security levels which can be required 
unit 33, for instance, a RAM (Random Access Memory), a by a coimter party's apparatus are set as a second index. For 
semiconductor memory device, a magnetic disk storage instance, assmning now that in the above-described network, 
apparatus, a magnetic tape recording apparatus, an M/0 65 the own apparatus corresponds to the chent which can 
(Magneto-Optical) disk apparatus, and an IC card are require the security levels 1 through 3, and that the counter 
employed. party's apparatus corresponds to the server which can 
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require ihe security le vels 1 through 5, any one of 15 patterns In accordance with the security level set by the server 

may be obtained, namely 15 patterns (in total)-indexes (3) apparatus 20 and the security level notified from the client 

of own apparatus x indexes (5) of the server apparatus 30, the server apparatus 20 selects the security 

While using the security level of the communication party level of the actually performed communication (step 909, 

recognized by the security level recognizing unit 11 and the S this selection is expressed by "8"). 

security level for the security level control apparatus 10, as It shoidd be understood that the security levels selected at 

the index, the security level reading unit 13 reads a security the step 908 and the step 909 are coincident with each other, 

level corresponding to this index from the security level Thereafter, the client apparatus 30 notifies the user certi- 

converting table unit 12. fication (CERTm) to the server apparatus 20 (step 910, this 

The security level setting unit 14 sets the security level lO notification is expressed by "A"), 

read out fix)m the security level reading unit 13 as the The server apparatus 20 verifies the notified user certifi- 

security level for the security level control apparatus 10. cate based on the certificate of the Certification Authority 

The security level notifying unit 15 notifies the own (CERTca) (step 911). 

security level to the communication party. The server apparatus 20 notifies the public key (PKs) of 

The encryption processing unit 17 encrypts a message to 15 the server, or the certification (CERTs) of the server to the 

be outputted to the communication party, and conversely, client apparatus 30 (step 912, this notification is indicated by 

decrypts the encrypted message entered from the commu- "B"). 

nication party. It should be imderstood in this embodiment Tlie client apparatus 30 verifies the notified certificate 

that the DES (Data Encryption Standard) system is utilized (CERTs) of the server based upon the certificate (CERTca) 

as the secret key cryptosystem, whereas the RAS (Rivest- 20 of the issuing Certification Authority step 913). 

Shamir- Aldem an) system is employed as the public key Also, the client apparatus 30 produces "DEKl" corre- 

cryplosystem. spending to seed for authentication (in this case, authenti- 

The authentication processing unit 18 performs server cation of server) by way of random nimibers (step 914). 

authentication (in case of client apparatus 30), and user Thereafter, the cUent apparatus 30 notifies to the server 

authentication. 25 apparatus 20, PKs (DEKl) produced by encrypting "DEKl" 

(Sequential Process Operation Between Client Apparatus 30 based upon the public key (PKs) of the server (step 915, this 

and Server Apparatus 20) notification is indicated by "C*). In other words, the client 

Referring now to FIG. 9 and FIG. 10, a description will apparatus 30 corresponding to a "sender" encrypts a session 

be made of sequential process operation between the client key used to read the statement based on the public key (PKs) 
apparatus 30 and the server apparatus 20 in the embodiment ' 30 of the server apparatus 20 corresponding to a "receiver". Up 

mode. It should be understood that all of the sequential to the present processing stage, since there is no session key 

process operations are not executed in this explanation, but for the client apparatus 30 and the server apparatus 20, the 

only necessary process operations are executed every secu- encryption is carried out by way of the public key crypto - 

rity level. system (RSA). 

First, the client apparatus 30 notifies a communication 35 The server apparatus 20 derives DEKl by decoding the 
request to the server apparatus 20 (step 901, this notification notified PKs (DEKl) by the secret key (SKs) of the server 
is expressed as "1"). In response this communication (step 916). In other words, the server apparatus 20 function- 
request, the server apparatus 20 notifies acceptance to the ing as the receiver decodes the session key by using the 
cUent apparatus 30 (step 902, this notification is indicated as secret key (SKs) of the server corresponding to the own 
"2"). 40 secret key. Thereafter, the content sent from the client 

After the acceptance is notified to the client apparatus 30, apparatus 30 is decoded by the decoded session key. 

a communication preprocess operation is carried out The server apparatus 20 produces SKs(DEKl) by per- 

between the client apparatus 30 and the server apparatus 20 forming DEKl with employment of the server secret key 

(step 903, this preprocess operation is indicated by "3'*). In (SKs) (step 917). 

this case, the communication preprocess operation implies 45 Thereafter, the server apparatus 20 notifies DEKl (SKs 

information exchanges, for instance, information about ter- (DEKl)) produced by encrypting SKs(DEKl) by DEKl to 

minal type, information about display system (how infor- the client apparatus 30 (step 918, this notification is indi- 

mation is displayed by which line, which digit), information cated by "D"). In this case, the reason why SKs(DEKl) is 

about sort of used character code, and IP address. encrypted by DEKl is that an electronic signature is not 

After the preprocess operation is complete, the chent 50 wiretapped. The reason why such an electronic signature is 

apparatus 30 notifies the security level set by the chent made is to investigate that the sender (user) is authenticated 

apparatus 30 to the server apparatus 20 (step 904, this andthecontentof the statement is not falsified. For example, 

notification is indicated by "4"). Upon receipt of this a signer "A" makes up a digest of the statement by using a 

notification, the server apparatus 20 recognizes the security proper hash function, and then encrypts this digest by 

level set by the client apparatus 30 (step 905, this recogni- 55 employment of a secret key for this signer "A". This may 

tion is indicated by "6"). constitute a signature. A verifier "B" verifies the signature by 

Subsequently, the sever apparatus 20 notifies the security employing the public key of the signer "A" to be returned to 

level set by the server apparatus 20 to the client apparatus 30 the original signature so as to check whether or not this 

(step 906, this notification is indicated by "5"). Upon receipt result is equal to the digest of the original statement. If this 

of this notification, the client apparatus 30 recognizes the 60 result is not equal to the digest of the original statement, then 

security level set by the server apparatus 20 (step 907, this it can be seen that the statement is falsified, 

recognition is denoted by "7"). Now, the cUent apparatus 30 executes the follovwng items 

In accordance with the security level set by the cUent 1) to 3) as a process "F* (step 919). 1). DEKl(SKs(DEKl)) 

apparatus 30 and the security level notified from the server is decoded to derive SKs(DEKl). 2). DEKl is derived from 

apparatus 20, the cUent apparatus 30 selects the security 65 the derived SKs(DEKl) by employing the public key (PKs) 

level of the actually performed communication (step 908, contained in the certificate of the server. 3). The derived 

this selection is expressed by "8"). DEKl is compared with DEKl produced at the step 914. 
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With this cxsmparison, the server is aulheoiicated. The reason Then, in the security level "3", the above-described 
why this authentication is perform is to confirm as to process operations (1), (2), (3), (4), (5), (6), (7), (8), (A), (B), 
whether or not the public key opened as the server certificate (C), (F), (G) and (H) are sequentially executed, 
is really the key for-ihe server apparatus 20. This confirma- Then, in the security level "4", the above-described 
tion is performed by employing the server certificate 5 process operations (1), (2), (3), (4), (5), (6), (7), (8), (B), (Q, 
(CERT^) authenticated by a third party. Such a confirmation (g) and (F) arc sequentially executed 
is also called as "third party authentication", or "electronic ^ext, in the security level "5", the above-described pro- 
notary public" Siinply speaking, a counter party makes a operations (1), (2), (3), (4), (5), (6), (7). (8), (B), (C) and 
Signature on a mail sent by an owner, and if this signature and (H) are performed in this order, 
decrypted by emplo)ang the pub ic key of 10 First Process Operation) 

identical to the signature sent by the owner, then the authen- n r • . i-i .1. c * n 

ticatioD can be estabUshed. Refemng now to FIG. 12, the first process operaUon will 

As a comparison result of the item 3) at the step 919, if be explained. 

the received signature is identical to the original signature, ^^^^ ^^^^^nt apparatus 30 (cbent) accesses a commu- 

then the client apparatus 30 notifies "ACK" to the server P^''^^ (^^^P ^^Ol). 

apparatus 20, whereas if the received signature is not iden- Next, the server apparatus 20 (server) accepts the com- 

tical to the original signature, then the client apparatus 30 municaiion by the client (step 1202). 

notifies "NACK" to the server apparatus 20. At this stage, the communication preprocess operation is 

Next, the server apparatus 20 produces DEK2 corre- complete (step 1203). 

spending to a seed for authentication (in this case, authen- Thereafter, the client requests the security level "3" (step 

tication of user) by using random numbers (step 921). 20 1204). 

Subsequently, the server apparatus 20 notifies to the client In response to this request, the security level control 

apparatus 30, DEK1(DEK2) produced by encrypting DEK2 apparatus 10 of the server recognizes that the security level 

by utilizing the secret key cryptosystem (step 922, this of the client is equal to "3" (step 1205). 

notification is indicated by "F"). In this case, the reason why Next, the server requests the security level "5" (step 

the secret key cryptosystem is employed is such that the ^5 1206). 

encryption key DEKl is commonly used in the client response to this request, the security level control 

apparatus 30 and the server apparatus 20, and when this ^pparaUis 10 of the server recognizes that the security level 

encryption key DEKl is utih^d the processmg speed can ^^^^^ ^ j ^ j^O?). 

be increased. In other words, if all of the encrypUon is done ^^.^ ^^^^^^ ^^^^ j^^^^ ^^^^^ apparatuses 10 of 

by l^buc key ctyptosystem. ^^^^^ ^^^^^ ^^^^^ security level "5" in 

Subsequently, the client apparatus 30 denves DEK2 by , ... .,1 - i.. — 

decoding the DEK1(DEK2) oolified from the server appa- .^^^'^^"^^J?. ^'^^^ ^^^^^ converting table unit 12 

ratus 20 by way of the secret key (SKm) of the user (step (®^^P 

523) Both the server and the client perform the encryption 
Also, the client apparatus 30 produces SKm(DEK2) by communication after executing the sequential process opera- 
making an electronic signature with respect to DEK2 by ^5 tions (A), (B), (C), (D), (E), (F), (G) and (H) of FIG. 9 and 
employing the secret key (SKm) of the user (step 924). FIG. 10, and also exchange of the session keys (step 1209). 

Thereafter, the client apparatus 30 notifies DEK2(SKm (Second Process Operation) 

(DEK2)) produced by encrypting SKm(DEK2) by using Refeaing now to FIG. 13, the second process operation 

DEO (step 925, this notification is expressed by **G"). will be explained. 

Now, the server apparatus 20 executes the following items 40 First, the cUent apparatus 30 (client) accesses a commu- 

1) to 3) as a process "Q" (step 926). 1). DEK2(SKm(DEK2)) nication party (step 1301). 

is decoded to derive SKm(DEK2). 2). DEK2 is derived from Next, the server apparatus 20 (server) accepts the com- 

the derived SKm(DEK2) by employing the user secret key munication by the client (step 1302). 

(SKm). 3). The derived DEK2 is compared with DEK2 At this stage, the communication preprocess operation is 

produced at the step 921. With this comparison, the user is 45 complete (step 1303). 

authenticated. Thereafter, the client requests the security level "2" (step 

As a comparison result of the item 3) at the step 926, if 1304). 

the decrypted signature is identical to the original signature. In response to this request, the security level control 

then the server apparatus 20 notifies ACK" to the client apparatus 10 of the server recognizes that the security level 

apparatus 30, whereas if the received signature is not iden- 50 of the client is equal to "2" (step 1305). 

tical to the original signature, then the server apparatus 20 Next, the server requests the security level "2" (In 1306). 

notifies "NACK'' to the client apparatus 30 (step 927, this In response to this request, the security level control 

notification is repressed by "H"). apparatus 10 of the client recognizes that the security level 

Thereafter, a communication is carried out by employing of the server is equal to "2" (step 1307). 

the session key DEK2 between the client apparatus 30 and 55 At this stage, the security level control apparatuses 10 of 

the server apparatus 20 (step 928, this communication is the server and the client select the security level "2" in 

indicated by "9"). accordance with the security level converting table tmit 12 

(Sequential Process Operations Executed In Respective (step 1308). 

Security Levels) Both the server and the client perform the encryption 
The sequential process operations executed in the respec- 60 communication after executing the sequential process opera- 
tive security levels will now be explained with reference to tions (B), (C), and (F) of FIG. 9 and FIG. 10, and also 
FIG. 11. First, in the security level "1", the above-explained exchange of the session keys (step 1309), 
process operations (1), (2), (3), (4), (5), (6), (7), (8) and (9) As previously described in detail, the communication 
are carried out in this order. level is not determined based upon only the communication 
Next, in the security level "2", the above-described pro- 65 level requested by the counter party's apparatus, but the 
cess operations (1), (2), (3), (4), (5), (6), (7), (8), (B),(C) and actual communication level is determined based on the 
(F) are performed in this order. communication levels requested by both parties* appara- 
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tuses in ihis embodiment. As a consequence, the following 
effects can be achieved. That is, in the case that this 
embodiment is applied to the Internet, when a communica- 
tion is established between a server and a user apparatus 
(called as a "host" in the Internet field), the security level 
converting tabic unit 12 is arranged in such a manner thai the 
level requested by the server owns a priority so as to avoid 
the problems even under such a condition that although the 
server wants to encrypt the information in order to avoid that 
other apparatuses may refer to this information, the xiser 
requests to communicate the "plain text". 

Furthermore, the situation between the server and the 
client are changed, above mentioned effects of this invention 
can be achieved. 

What is claimed is: 

1. A security level control apparatus for controlling a 
security level of a communication established between com- 
munication parties, comprising: 

security level recognizing means for recognizing a secu- 
rity level notified from a communication party; 

security level converting table means for storing therein a 
relationship between an index having two sets of secu- 
rity levels and a security level of an actual communi- 
cation; 

security level reading means for setting the security level 
of the communication party recognized by said security 
level recognizing means and a security level owned by 
said security level control apparatus as said index, and 
for reading a security level corresponding to said index 
from said security level converting tabic means; and 

security level setting means for setting the security level 
read from said security level reading as the security 
level of said security level control apparatus. 

2. A network communication system provided with a 
server apparatus and a client apparatus, which perform a 
communication whose security level is set, wherein 

said chent apparatus includes a security level control 

apparatus; and 
said security level control apparatus includes: 

security level recognizing means for recognizing a 
security level notified from a communication party; 
security level setting means for setting the secmty 
level recognized by said security level recognizing 
means as a security level for said client apparatus; 
and 

security level converting table means for storing therein 
a relationship between an index having two sets of 
security levels and a security level of an actual 
communication. 

3. A network communication system as claimed in claim 
2 wherein 

said security level control apparatus provided with said 
chent apparatus controls a security level with respect to 
the at least one server apparatus. 

4. A network communication system as claimed in claim 
2 wherein 

said security level control apparatus owned by said client 
apparatus includes: 

security level converting table means for storing therein 
a relationship between an index constituted by two 
sets of security levels and a security level of an actual 
communication; and 

security level reading means for setting the security 
level of said at least one server apparatus recognized 
by said security level recognizing means and a 
security level of said client apparatus designated as 



20 



25 



30 



35 



40 



45 



50 



55 



60 



65 



said index, and for reading a security level corre- 
sponding to said index firom said security level 
converting table means, and 
said security level setting means sets the security level 

read out from said security level reading means as a 

security level for said client apparatus. 

5. A network communication system provided with a 
server apparatus and at least one client apparatus, which 
perform a communication whose security level is set, 
wherein 

said server apparatus includes a security level control 

apparatus; and 
said security level control apparatus includes: 

security level recognizing means for recognizing a 
security level notified from a communication party; 
security level setting means for settitig the security 
level recognized by said security level recognizing 
means as a security level for said server apparatus; 
and 

security level converting table means for storing therein 
a relationship between an index having two sets of 
security levels and a security level of an actual 
communication. 

6. A network communication system as claimed in claim 
5 wherein 

said security level control apparatus provided with said 
server apparatus controls a security level with respect 
to said at least one cUent apparatus. 

7. A network communication system as claimed in claim 
5 wherein 

said security level control apparatus owned by said server 
apparatus includes: 

security level converting table means for storing therein 
a relationship between an index constituted by two 
sets of security levels and a security level of an actual 
communication; and 

security level reading means for setting the security 
level of said at least one client apparatus recognized 
by said security level recognizing means and a 
security level of said server apparatus designated as 
said index, and for reading a security level corre- 
sponding to said index from said security level 
converting table means, and 
said security level setting means sets the secmty level 

read out from said security level reading means as a 

security level for said server apparatus. 

8. A network communication system provided with at 
least one server apparatus and a client apparatus, which 
perform a communication whose security level is set, 
wherein 

said chent apparatus includes a security level control 
apparatus, 

said security level control apparatus includes: 

security level recognizing means for recognizing a 
security level notified from a communication party; 
and 

security level setting means for setting the security 
level recognized by said security level recognizing 
means as a security level for said client apparatus, 
said security level control apparatus owned by said client 

apparatus includes: 

security level converting table means for storing therein 
a relationship between an index constituted by two 
sets of security levels and a security level of an actual 
communication; and 

security level reading means for setting the security 
level of said at least one server apparatus recognized 
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by said security level recognizing means and a 
security level of said client apparatus designated as 
said index, and for reading a security level corre- 
sponding to said index from said security level 
converting table means, s 
said security level setting means sets the security level 
read out from said security level reading means as a 
sec\irity level for said client apparatus, and 
said security level control apparatus owned by said client 
apparatus dynamically changes the security level in jq 
response to a request of said client apparatus even 
during executions of the communication. 

9, A network communication system provided with a 
server apparatus and at least one client apparatus, which 
perform a communication whose security level is set, 
wherein 

said server apparatus includes a security level control 
apparatus, 

said security level control apparatus includes: 

security level recognizing means for recognizing a 
security level notified from a communication party; 
and 

security level setting means for setting the security 
level recognized by said security level recognizing 
means as a security level for said server apparatus, 
said security level control apparatus owned by said server 
apparatus includes: 

security level converting table means for storing therein 
a relationship between an index constituted by two 
sets of security levels and a security level of an actual 
conunuoication; and 

secxxrily level reading means for setting the security 
level of said at least one chent apparatus recognized 
by said security level recognizing means and a 
security level of said server apparatus designated as 
said index, and for reading a security level corre- 
sponding to said index from said security level 
converting table means, 
said security level setting means sets the security level 

read out from said security level reading means as a 

security level for said server apparatus, and 
said security level control apparatus owned by said server 

apparatus dynamically changes the security level in 

response to a request of said server apparatus even 

during executions of the communication. 

10. A network communication system provided with a 45 
server apparatus and a client apparatus, which perform a 
communication whose security level is set, wherein: 

said client apparatus and said server apparatus include 

security control apparatuses; and 
each of said security level control apparatus includes: 50 

security level recognizing means for recognizing a 
security level notified from a communication party; 

security level converting table means for storing therein 
a relationship between an index constituted by two 
sets of security levels and a security level of an actual 55 
conmaunication; 

security level reading means for setting the security 
level of the communication party recognized by said 
security level recognizing means and a security level 
for said security level control apparatus as said 60 
index, and for reading a security level corresponding 
to said index from said security level converting 
table means; and 

security level setting means for setting the security 
level read from said security level reading as the 65 
security level for said security level control appara- 
tus. 
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11. A network communication system provided with at 
least one server apparatus and a client apparattis, which 
perform a communication whose security level is set, 
wherein 

said client apparatus includes a security level control 
apparatas, 

said security level control apparatus includes: 

security level recognizing means for recognizing a 
security level notified firom a communication party; 
and 

security level setting means for setting the security 
level recognized by said security level recognizing 
means as a security level for said at least one server 
apparatus, 

said security level control apparatus owned by said client 
apparatus includes: 

security level converting table means for storing therein 
a relationship between an index constituted by two 
sets of security levels and a security level of an actual 
communication; and 
security level reading means for setting the security 
level of said at least one server apparatus recognized 
by said security level recognizing means and a 
security level of said client apparatus designated as 
said index, and for reading a security level corre- 
sponding to said index from said security level 
converting table means, 
said security level setting means sets the security level 
read out from said security level reading means as a 
security level for said client apparatus, 
said security level control apparatus owned by said client 
apparatus dynamically changes the security level in 
response to a request of said client apparatus even 
during executions of the communication, and 
said security level control apparatus owned by said server 
apparatus dynamically changes the security level in 
response to a request of said server apparatus even 
during executions of the commtmication. 

12. A security level control method for controlling a 
security level of a communication established between com- 
munication parties, comprising the steps of: 

recognizing a security level notified from a communica- 
tion party; 

storing a relationship between an index having two sets of 
security levels and a security level of an actual com- 
munication; 

setting the security level of the communication party 
recognized by said recognizing step and a security level 
obtained by said security level control step designated 
as said index, and for obtaining a security level corre- 
sponding to said index from said storing step; and 

setting the security level obtained from said setting step. 

13. A network communication system having a server and 
client, comprising: 

a security level table storing a relationship, based on a 
recognized security level of a communication party, 
between an index having two sets of security levels and 
a security level of an actual communication; and 

a security level control apparatus controlling the security 
level of communications between the server and the 
client based on the security level table. 
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[57] ABSTRACT 

Method and system for transmitting information during 
call connections between a multiplicity of subscribers as 
components of traffic in an integrated services network 
(ISN), in which the information traffic consists of a 
multiplicity of media types according to the different 
subscribers including voice, video and data traffic com- 
ponent types. A plurality of traffic component types in 
the form of portions of information streams to be trans- 
mitted from subscribers at an entry point of the ISN 
during respective call connections are assembled into 
each of a sequence of composite frames of variable size 
for transmission through the ISN. The traffic compo- 
nent types assembled into each of the composite frames 
arc limited to those destined for subscribers at the same 
exit point of the ISN. Each composite frame is config- 
ured with the traffic component types assigned to re- 
spective separate groups of adjacent channels of prede- 
termined bandwidth with each group limited to chan- 
nels transporting traffic components of the same type 
and each channel in a group dedicated to a particular 
subscriber of the respective traffic component type for 
the duration of its respective call connection. Band- 
width in the composite frames is selectively seized for 
reallocation among the various traffic component types 
during periods of traffic congestion. 
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11/12/2003. EAST Version: 1.4.1 



U.S. Patent Nov. 17, 1992 sheet 1 of 10 5,164,938 




FIG. I 



32 



33 



T 

34! 



r 



SPU 



SLS 25~1 

28 ^ 

W 27 
30^ 



SPU 



1 



ucu 



SPU 



'^28 
28 



SPU 



7 



UCU 



30 



28 



'27 



FIG. 2 



SFS 24 



X 

< > 
s / 



SWITCHING 
NODE 22 



36, ■^'-5 



1 
UCU 



37' 38 



36, 



UCU 



37 



1, ! 



TPU 



3?_J 



11/12/2003, EAST Version: 1.4.1 



U.S. Patent 



Nov. 17, 1992 



Sheet 2 of 10 



5,164,938 




11/12/2003, EAST Version: 1.4.1 



U.S. Patent 



Nov. 17, 1992 



Sheet 3 of 10 



5,164,938 



92 



93 



99 




HEADER 



1 C 



90 



94 



PAYLOAD 



FCS 



100 101. 




CHANNEL 
*l 

64 bits 


CHANNEL 

♦2 
64 bits 


CHANNEL 
64 bits 


CHifl^NNEL 
32 bits 


CHANNEL 

#2 
32 bits 


CHANNEL 

#1 
16 bits 


CHANNEL 

#2 
16 bits 






N 


, n , 


r ' 



64 kb X. 25 T- slot 
96 



ADPCM T-$lot 9.6i<b SDLC T-$lot 
97 98 



FIG. 5 



FLAG 


PT 


VPI 


VER 


PFC 

1 \ 


PAYLOAD 


FCS 




^,^bit 
n n* 7— offset 







1 1 1 






1 1 1 1 1 


A 


B 


C 

1 1 1 


A 


B 


C 

1 1 1 1 1 



FIG. 6(a) 



PFC 1 VPI 


PT. 


RSVD 


HEC 


PAYLOAD 



0 3 27 29 31 39 

FIG. 6(b) (PRIOR ART) 



0 7 23 31 

F 16. 6 (c) (PRIOR ART ) 



bit 

offset 



FLAG 


ADDRESS 


CONTROL 


INFORMATION 


FCS 


(VPI) 


(PT) 


(PAYLOAD) 



n n+2 offset 



11/12/2003, EAST Version: 1.4.1 



U.S. Patent Nov. 17, 1992 sheet 4 of 10 5,164,938 




HEADER 


CH. I.I 


CH. 1.2 


CH. 1.3 


CH.1.4 


CH. 2.1 


CH. 2.2 










- 





V V 

T-slot*l T-ilot*2 

Fl G. 8 




v» ur 
AVAILABLE 
(UNALLOCATED) 



Fl G. 9 



11/12/2003, EAST version: 1.4.1 



U.S. Patent Nov. 17, 1992 sheet 5 of 10 5,164,938 




120 



header poyiood 

6i loTI I (T) 




VCP 

heoder ^ 
(ABC 

'■\b\ TiT I 2 3 



poyiood 



130 





SPU 


FIP 


*2 


* 


EFPS 


♦3 




J.I3I 


SPU 


FIP 


!i_ 




EFPS 






,132 
f ' 


*5 


SPU 


FIP 






EFPS 


IL 




^130 


SPU 


FIP 






EFPS 






»3 




^131 


SPU 


FIP 


#4 




EFPS- 










^132 


#5j 




_SPU 


FIP 


51 




EFPS 



137 




MAX CONGESTION 
THRESHOLD ON 
TRANSMIT QUEUE 



FIG. II (a) 




FIG. 11(b) 



11/12/2003, EAST Version: 1.4.1 



U.S. Patent Nov. 17, 1992 sheet 6 of 10 5,164,938 



«2 



1 



130 



*3 



#4 



#5 



#6 



SPU FIP 
— EFPS 



I 



131 



147 



I 



132 



SPU pm . 

- FLOW CONT 

- [ EFPS 




SPU RP""! 135. 
~ _ FLOW CONT ROL / 
- I EFPS I ' 



139 



148 



130 



FIG. i 1(c) 




FIG. It(d) 



157 SLS 



SFS 



VCPA 
-ts* 




FIG. 12 



11/12/2003. EAST Version: 1.4.1 



U.S. Patent Nov. 17, 1992 sheet 7 of 10 5,164,938 




LOGICAL VCP AS 
VIEWED BY SLSs 



FIG. 13 



ACTUAL PATH OF 
SUBSCRIBER DATA CELLS 



TLS 

ANCHORING 



SLS 

ANCHORING 



# 


LINK /T- SLOT 
PROFILE 


A- 
BIT 






5 


1 


1 


\ 


1 


1 


2 


1 


1 


0 


0 


3 


1 


0 


1 


1 


4 


1 


0 


0 


1 


5 


0 


1 


1 


1 


6 


0 


1 


0 


0 


7 


0 


0 


1 


0 


8 


0 


0 


0 


0 



TIME 



FIG. 14 



FIG. 18 



11/12/2003, EAST Version: 1.4.1 



U.S. Patent Nov. 17, 1992 sheet 8 of 10 5,164,938 



SLS ' 

CHANNEL REQUEST 



.NO BW 
"TWAIL ABLE | 



CHANNEL REQUEST 
DENIED 




FIG. 15 



ESTABLISH TLS 
ANCHORED VCP 



NOTIFY SLS TO 
BUILD OR UTILIZE 
SLS BASED ANCHOR 



END 



BEGIN NORMAL 
FRAME REC0NFI6 
FOR REPLACEMENT 
CHANNELS (ONES 
BEING 

CONSOLIDATED 



— i , 

END I 



NOTIFY ALL SLS 
BASED ANCHORS 
TO BE 

CONSOLIDATED 



z 



BEGIN NORMAL 
FRAME 

RECONFIGURATION 
FOR ORIGINAL 
REQUEST 



SLS"' 

CHANNEL RELEASE 



TLS BEGIN 
NORMAL FRAME 
RECONFIG FOR 
CHANNEL RELEASE 



NOTIFY ALL SLS s 
INVOLVED IN VCP 



WAIT FOR 
OTHER SLS$ TO 
REQUEST 
REPLACEMENT 
CHANNELS 
(ONES BEING 
CONSOLIDATED) 




WAIT FOR CHANNEL 
RELEASE REQUESTS 
FROM SLSs 



RELEASE REQUESTED 
CHANNEL 



FIG. 16 




YES 



BEGIN NORMAL VCP 
TEARDOWN 



END 



11/12/2003, EAST Version: 1.4.1 



U.S. Patent 



Not. 17, 1992 



Sheet 9 of 10 



5,164,938 



REV. FRAME REC. 
REO CONTR. FRAME 




NO FLOW 
CONTROL 



timer: start 
LINK /T-SLOT 
PROFILE VERIF. 



REQUIRED 



BW 
SEIZING 



SET AM FOR ALL 
VCPs ON LINK 
FOR ALL FRAMES 
GOING IN 
REVERSE DIREC. 



± 



UPDATE T-SUOT 
PROFILE TABLE 
(OR RELEASE 
RESERVED BW) 




SET UP PERIODIC 
LINK, T-SLOT 
PROFILE VERIF. 



SEND FRAME 
RECONFIG. 
REQUEST TO 
NEXT NODE 



BW 

SEIZING 



SET A-0 FOR 
FRAMES 
DESTINED 
TOWARD 
VCP ANCHOR 



TIMER: N 


EXT 


CYCLE 0 


F LINK/ 


T-SLOT 


PROFILE 


VERIF. 





■V 



FIG. 17 



SWITCHING jQ 
FABRIC SUSCRIBER 



DECOMPOSED FRAME: 
CELLS 



REC'D FRAME 



VCP TEMPLATE 



V 




v 



FIG. 20 



11/12/2003, EAST version: 1.4.1 



U.S. Patent Nov. 17,1992 sheet 10 of 10 5,164,938 



START FRAME 
COMPOSITION 






SELECT 1 


'-SLOT X 



FIG. 19(a) 




NO BUCKETS 
POSTED FOR 
TRANSMISSION 



N BUCKETS 
POSTED FOR 
TRANSMISSION 



FRAME- 
SET B-l 



FRAME 
template: 
SET B-O 



FRAME -SET C-l 
FOR N CORRESPON- 
DENT CHANNELS 



WRITE DATA FROM 
N BUCKETS TO 
CORRESPONDENT 
CHANNELS 




T-SLOT 



T-SLOT X 
PRESENT 



" DOESN'T 




EXIST 






SEND 




FRAME 



START FRAME 
DECOMPOSITION 



PFC analysis : 
OFFSET S1ARTIN6 
BITS PDR EACH 
T-SLOT AND EACH 
CHANNEL IN THE 
PAYLOAD 



DECOMPOSE REC'D 
FRAME PAYLOAD 
AND FORWARD EACH 
CHANNEL TO THE 
APPROPRIATE 
SUBSCRIBER 



FIG. 19(b) 



11/12/2003, EAST Version: 1.4.1 



5,164,938 

1 2 

loss of individual packets can prevent restoration of an 
BANDWIDTH SEIZING IN INTEGRATED enure message. 

SERVICES NETWORKS iggs. CCITT Study Group 18 approved recom- 

mendation 1.121 which identified Asynchronous Trans- 
CROSS REFERENCE TO RELATED 5 j^^^g (ATM) as the target solution for implement- 

APPLICATIONS ing B-ISDNs. ATM is an asynchronous time division 

This application is related to copending U.S. patent multiplexing technique employing fast packet switching 
applications filed in the name of M. Jurkevich and S. which communicates user information through the net- 
Bernstein on even date herewith, and assigned to the ^^^^ in fixed length packets (called "cells" in the ATM 
same assignee as the insunt application, as follows: ° jargon) of 53 bytes each. One mission of the Study 
-Coi^igurable Composrte Data Frame", U.S. apph- ^^^^^ Working Party 8 has been to standardize 

cation Ser. No. 676,524; , ^ ^ - m . B-ISDN user network interfaces, including one at 155 

*'Frame Compression m Integrated Services Net- . , .i. . rr%n u t^. . r « , 

works", U.S. application Ser. No 676.535; ^^P^ ^""^^^^ ^» ^ "^^P^, I !iw H^ 

"Composite Frame Reconfiguration in Integrated 15 mdustry, however, is on fast packet (broadband) 
Services Networks", U.S. application Ser. No. 676.537; switching products at 1.54 to 45 mbps. For mulUmedia 
"Adaptive VCP Control in Integrated Services Net- networks, the ATM scheme advanced by Study Group 
works", U.S. patent application Ser. No. 676,540; 18 uses fixed size cells each of which is assigned to a 

"Prioritizing Attributes in Integrated Services Net- single user or traffic component type. Depending on 
works", U.S. application Ser. No. 676,515; and ^0 ^j^j. requirements at a given time, considerable band- 

"Fixed Interval Composite Framing in Integrated width may be unused because partially empty channels 
Services Networks", U.S. application Ser. No. 676,536. are being transmitted. 

BACKGROUND OF THE INVENTION 1" ^.S. Pat, No. 4,980,886 titled "Communication 

System Utilizing Dynamically Slotted Information" 
The present invention relates generally to packet 25 (^jje "'886 Patent"), assigned to the same assignee as the 
switched digital tclecommumcation networks, and present application, S. Bernstein discloses a multimedia 
more particularly to improvements m fully mtegrated ^ ,^ ^^^^ ^^^^ 
voice, data, and video (multimedia) communication . , . - j u r i * ^ * 

services through the shared use of transmission and P^y^^^<^ ^ize, with a fixed number of slots assigned to 
switching facilities in an integrated services network, 30 users, and m which the slot assignmems may be 
including but not limited to networks such as those changed penodically to improve communication per- 
defined by the CCITT ISDN antegrated Services Digi- formance. These are composite frames, packing several 
tal Network) and Broadband ISDN (B-ISDN) stan- users/traffic component types into each frame, rather 
dards. The present invention provides for the cocxis- than only one user per frame. 

tence and integration of 1.2 kilobits per second (kbps) to 35 The invention disclosed in the '886 Patent departs 
2.045 megabits per second (mbps) applications with from prior burst switching technology by distributing 
B-ISDN (>2.04« mbps) applications in a true raultime- user payloads among the available slots in a multimedia 
dia network. frame based on the specified bandwidth requirements of 

In recent years, the International Telegraph and Tel- ^^.^ jjje slots, which constitute portions of the 
cphone Consultative Committee (CCITT), a telecom- 40 available bandwidth for each frame, are not necessarily 
munications industry international standards-settmg ^^^^^^ respective users from start to finish of a 
group, established Study Group 8 to undertake coop- ^^^^^^^^^^^ j^^^ead. each user is guaranteed a certain 
erative planmng of B-ISDNs. A principal aspect of . r w j j^u \* n a 

B-ISDN is the support it would offer to multimedia T"'"^"^ ^'"O^f bandwidth and all users contend 
traffic applications, in which a multiplicity of traffic 45 bandwidth in each frame, accordmg to 

component types including voice, data, and video are to t^^i^ individual needs. The sending side packet switch 
be communicated through the network. Each traffic allocates bandwidth on a frame-by-frame basis, so that 
component type exhibits significantly different charac- users may be moved from one slot to another or to 
teristics or attributes from the others, and may have several slots in mid-transmission (i.e., on a "per burst" 
different characteristics among the members of its own 50 basis). 

type or class. For example, pure data traffic compo- In the invention of the '886 Patent, unused bandwidth 
nents may be interactive data, local file transfer data, is not locked out; if a particular user has nothing to send 
facsimile data, and so forth, which have different burst or is not using its minimum guaranteed bandwidth (total 
sizes, or "burstiness". Such different anributes create slot or slots), the respective slot or portion thereof is 
differences in the requirements imposed on the network 55 allocated to a user having need for it. As the circum- 
and local equipment for efficient and effective handling stances change, the allocations charge. The receiving 
of the traffic component types in the communication ^j^^ monitors the slots in each incoming 

between sourc« and destinations of the ttaffic. For ^ ^j. information (data, 

mstance isolated loss of voice packets may be tolerated ^ ^^^^ ^ 

in telephone communicanons because the hstener «n 60 ^fonnation to its proper destination. Thus, 

comprehend the overall tenor of the conversation de- . , . . ; * ^ .1 

spite these slight gaps. Although quality suffers, the ^^e mvention of the »886 Patent provides an entirely 
"human ear" is quite forgiving in these circumstances. controllable bandwidth m which users are assigned 
Delays between different voice packets, i.e., a change in pnonty nghts to particular slots, but, depending on 
thcsequcnceof the packets from source to destination, 65 each user^s particular need for bandwidth, bursts or 
however, is unacceptable. In contrast, transmission of blocks of information are temporarily allocated to un- 
data such as X0.25 packets may not be adversely af- used slots or unused space in slots on a frame-by-framc 
fected by delay among packets in transmission, but the basis. 
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CI Tvrv4 A D V rtc -TUT? tvn »«?vTTirt V, ^^c trafflc in the network. The extent of data loss that 

SUMMARY OF THE INVENTION , component can suffer and still allow the net- 

The present invention also utili^s a composite frame work to provide adequate service also varies from traf- 
approach for fast packet multimedia or integrated ser- fic component to tranic component. The phenomenon 
vices networks, but instead of users contending for 5 that different components of traffic in an integrated 
bandwidth in each frame as in the invention of the *886 services network are affected difTerenily by transmis- 
Patent, bandwidth is conserved and efficiently utilized sion characteristics of the network is, in and of itself, 
in a different way — namely, through techniques of well known. Proposals in the prior an to solve this 
frame compression and bandwidth seizing. The con- problem^ however, have proved inadequate, 
ccpts of bandwidth contention within a frame as dis- 10 The present invention, in pan, is effective to de- 
closed in the *886 Patent, and frame compression as couple the trafRc component attributes and the network 
disclosed in this application and its related applications, attributes and provide priorities for individual network 
are based in part on the relatively recent concept of attributes on a traffic component basis. The principles 
packet switching using fixed sizes. For example, older employed, in which all network attributes are controlla- 
packet switching techniques such as X0.25 use variable 15 ble entities on a per-traffic component basis, arc to be 
size packets. The ATM scheme employs fixed size cells contrasted with specialized network approaches cm- 
(with its disadvantages), but is of only recent %nntage. ployed in present day telecommunications systems, in 
The present invention utilizes variable size packets or which a single priority level scheme applies for all net- 
frames having fixed size channels, and a scheme by work attributes. The latter arc truly effective where 
which frames may be compressed to conserve band- 20 there is only one traffic component and only one or 
width rather than employing techniques of contention relatively few network attributes which apply to that 
for the available bandwidth. component, such as in an X0.25 data network or a pure 

The terminology "composite data frame" or "com- voice network. The present invention includes assign- 
posite frame" as used herein refers to frames or packets ing of priorities so that, for example, voice traffic may 
which are composed of multimedia information compo- 25 be allowed to suffer data loss but no delays, while data 
nents, that is, different traffic component types assem- packets such as X0.25 are permitted to suffer delay but 
bled into a single frame for transmission between sub- no data loss. Such conflicting requirements arc resolved 
scribers through the network, and which may utilize in one aspect by assigning traffic component types to 
techniques of frame compression and bandwidth seizing separate frames according to their respective scnsitivi- 
according to the invention. Within that terminology it 30 ties and tolerances, while satisfying the need for rapid 
will be understood that the terra "data" is used in a transmission, and increased throughput performance in 
broad sense, encompassing all traffic component types the network. 

rather than being restricted to pure data only, although It is therefore another object of the present invention 
in other instances herein the terminology "data" will be to provide systems and methods in an integrated ser- 
used in the narrower sense. 35 vices network by which the transmission and through- 

It is a principal object of the present invention to put performance of various traffic component types is 
provide an improved method for multimedia frame enhanced by prioritizing them on the basis of their re- 
configuration and transmission in integrated services spective attributes in the environment of the ISN, so 
networks (ISNs), including those of the ISDN type. that priority of transmission can be given to those com- 
It is another broad object of the present invention to 40 posite data frames containing the traffic component 
provide improved techniques for configuring the pay- types assigned the higher priorities during periods of 
load and control information of a multimedia composite traffic congestion or when traffic flow otherwise re- 
frame for communication between subscribers in an quires control. 

integrated services network. According to a feature of the present invention, the 

According to an important aspect of the present m- 45 multimedia communication method and system utilizes 
vention, all of the various traffic component types in the a composite data frame configured with a multi-slotted 
data streams from multiple subscribers are assembled payload, each slot being a channel which is allocated to 
into composite frames configured for transmission to a subscriber having requirements for transmission of a 
other subscribers through the integrated services net- particular type of traffic component. The payload of the 
work in such a way as to provide optimum network 50 composite frame is divided into multiple channels and 
utilization with minimum cost, and at the same time to the channels are grouped according to traffic compo- 
satisfy the individual performance requirements of each nent type, with each grouping of plural channels in the 
of the particular traffic component types. The various frame referred to herein a traffic component slot, or 
subscriber data streams are combined by traffic compo- simply, T-slot. The frames are composed with a particu- 
nent type at the entry point to the network, if destined 55 lar configuration of channel assignments and inclusions . 
for the same exit point. At the exit point, the individual on a per call connection basis, dedicated for the dura- 
traffic component types are dispersed in separate direc- tion of the call connection, and may be reconfigured on 
tions according to their predetermined destinations. request by subscriber according to established priorities 

Each traffic component type, whether voice, video, or based on traffic conditions such as link congestion on 
low speed data, high speed data or otherwise, possesses 60 the network. 

different characteristics or attributes, such as length of Present day schemes provide static allocation of 
burst, ability to tolerate delay, and so forth. The net- channels, and contention for charuiels by active connec- 
work itself also has different characteristics or attri- tions. In contrast, the present invention allocates chan- 
butes, such as the inherent tendency to introduce trans- nels dynamically upon request at connection activation 
mission delay, which impacts on the attribute of each of 65 time (and deallocates on call termination>, and there is 
the various xrzffic components* capacity to tolerate no contention for channels— rather, the channels arc 
delay. Another inherent or intrinsic network attribute is dedicated to one connection for the entire duration of 
the tendency to cause data loss depending on the nature that connection. The multimedia information (voice. 
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data, video and/or other traffic component type) to be the composite frame pay load before the frame is 

transmitted from multiple subscribers located at a net- launched into the ISN. 

work entry point is assembled from the subscriber data A further object of the invention, then, is to provide 
streams into fixed size packets for consolidation in the bandwidth conservation in an integrated services net- 
same size channels allocated to the subscribers in the 5 work in which information is conveyed in the form of 
payload of a composite frame, provided that the various composite data frames containing a plurality of traffic 
traffic components are all destined for the same net- component types, by a technique of compressing out of 
work exit point. That is, assignment of the various sub- each frame any unused bandwidth, 
scriber data streams (of like or varying T-slot types) to Frame compression is one of three interrelated as- 
thc payload of a composite frame for transmission 10 pects of the invention which, however, may be em- 
through the network is limited to those trafTic compo- ployed independently in ISN FPS networks. The other 
ncnts which share the same source node and same dcsti- two of this triumvirate are reconfiguration of the com- 
nation node in the network. posite frames, and bandwidth seizing. As has been ob- 

Hence, another object of the invention is to provide a served herein, the composite data frame is configured 

composite data frame of variable size which is config- 15 with the traffic component types assigned to respective 

ured as a vehicle to convey through the network data separate groups of adjacent channels for each traffic 

streams emanating from subscribers at a source end- component type, so that each group is limited to chan- 

point node of the network, in the form of a plurality of ncls transporting traffic components of the same type, 

traffic component types, in channels grouped and of with each channel in a group assigned entirely to a 

fixed size according to traffic component type, pro- 20 selected subscriber associated with the traffic compo- 

vided that the traffic components assembled within any nent type for that group. According to the invention, a 

given composite frame are destined for the same end- composite frame is reconfigured to modify the channel 

point node. assignments when necessary to accommodate priorities 

According to another feature of the invention, the for traffic flow among the subscribers on a network 

composite frames are assembled by fixed interval fram- 25 path (virtual circuit path) between entry and exit points 

ing and transmitted through the network by synchro- (the two endpoint nodes or fast packet switches of the 

nous frame launching. To that end, each packet is virtual circuit path) of the ISN. Bandwidth seizing is 

shipped at a predefined fixed interval of time relative to implemented when, because of priority assignments 

the timing of shipment of the immediately preceding among the various traffic component types relating to 

packet, without regard to whether or not each channel 30 concepts of guaranteed bandwidth, and traffic conges- 

in the packet is completely filled at that point in time. tion on the network or more specifically on Hnks or 

The synchronous frame laimching is used to build com- trunks of the virtual circuit path of interett, bandwidth 

posite frames with fixed channel sizes, which permits allocation is taken at least in part from one or more 

elimination of overhead control information including traffic component types and redistributed to another or 

specification of channel size, amount of information to 35 other traffic component types. 

be received, and maximum amount of information to be Traffic flow control is initiated at a node along the 

transmitted on the connection, typically associated with network path of interest when a link on the path associ- 

other existing composite frame schemes. This reduces ated with that node exceeds a predetermined link utili* 

the amount of bandwidth required for transmission of zation threshold level indicative of traffic congestion, 

the frames. 40 Such flow control may be undertaken either when a 

Another object of the invention, therefore, is to pro- request for additional bandwidth (i.e., the making avail- 
vide a fast packet switched integrated services network able of a channel) is made by any traffic component 
in which composite frames are assembled and launched type (or more specifically, a subscriber of that traffic 
onto the network at fixed intervals of tirhe, in which the component type) which is below its minimum guaran- 
fixed interval is consistent throughout the network. 45 teed bandwidth, or when an unusually large number of 

Decomposition information is transmitted to the exit subscribers at an endpoint node are simultaneously seek- 
point for the composite frames in the network by speci- ing to transmit information for assembly into composite 
fying the number of channels being allocated and the . data frames. The flow control affects those traffic com- 
traffic component type for each, in a separate control ponent types which are exceeding their minimum guar- 
frame carried outside the composite data frames. The 50 anteed bandwidth, starting with those of lowest prior- 
control frame is built by the local endpoint node and ity. For each composite data frame in the receive queue 
sent to the remote endpoint node, when a network sub- on the congested link of the affected transit node along 
scriber requests a connection or termination of a con- the network path the node modifies a field in the header 
ncction. Each control frame is buih to contain only the of the composite data frame to indicate that flow con- 
delta change from the prior frame format to the current 53 trol is being exercised. 

frame format, identifying the channels being added or A reconfiguration request control frame is issued at 

released in the composite frame to the network remote the endpoint node of the subscriber needing additional 

endpoint. When a channel or chaimeb arc added, the bandwidth and meeting the necessary predetermined 

control frame must specify the traffic component type criteria. This request for additional bandwidth for the 
of each such channel. 60 justified traffic component type will ultimately result in 

According to an important aspect of the invention, if the seizure of bandwidth from any traffic component 

a subscriber is not fidly active, in the sense that the type which is exceeding its respective minimum guaran- 

information stream generated by that subscriber to be teed bandwidth in the composite data frames. At the 

transmitted to the remote endpoint within the compos- endpoint node launching the composite frames to which 

ite data frame being assembled at the local endpoint is 65 the request applies, frame compression is implemented 

inadequate to fill the channel allocated to that sub- to unlock bandwidth by seizing it from the traffic com- 

scriber, that channel is eliminated from the frame. In ponent type(s) targeted by the reconfiguration request 

this way, any unused bandwidth is compressed out of control packet A less frequent posting of cells compris- 
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ing portions of the information streams from the af- 
fected subscribers, for assembly into the composite 
frames, results in frame compression by eliminating 
some or all channels of the traffic component types 
associated with the excessive bandwidth usage in at 
least some of the composite data frames. The freed 
bandwidth is thereby reallocated or redistributed and 
the reconfiguration request control frame is dispatched 
to the next transit node along the network path when 
the traffic profile indicates that the associated link is no 
longer congested. The reconfiguration request control 
frame is a packet analogous to a call setup packet, and is 
transported along the same virtual circuit path as the 
composite data frames, but acts as a control element to 
change the format of the composite frames so long as 
the request is not blocked (rejected) by a node along the 
path. The existing format of the composite frames is 
contained in a template stored at each of the nodes 
along the path, and another stored template indicates 
the amount of change of bandwidth which is permitted 
for a particular traffic component type. 

Therefore, yet another object of the invention is to 
provide a method and system for selectively reconfigur- 
ing composite data frames in an integrated services 
network as necessary for optimum bandwidth utiliza- 
tion, traffic flow and throughput performance. 

Still another object is to provide a scheme for selec- 
tively seizing bandwidth from one or more traffic com- 
ponent types and redistributing the seized bandwidth to 
one or more other traffic component types having a 
greater priority for the bandwidth in an integrated ser- 
vices network. 

According to still another aspect and feature of the 
invention, logical connections are established between 
subscribers at endpoint nodes of the ISN at the time of 35 
call setup, in the form of virtual circuits (VCs), and 
between pairs of endpoint nodes to accommodate a 
multiplicity of VCs, in the form of virtual circuit paths 
(V CPs), and the establishment, location and relocation 
of VCP anchors at endpoint nodes within the ISN are 
adaptively controlled according to the needs of the 
network and its subscribers. Each endpoint node, or 
more precisely the point of multiplexing within the 
node, may anchor more than one VCP. Each VCP not 
only constitutes a logical connection between a pair of 45 
endpoint nodes, but has a one-to-one coupling with the 
composite data frame transported on it 

Information concerning each VCP anchored at a 
particular endpoint node (a fast packet switch) is stored 
at that node. In some instances a VCP is anchored at the 
trunk side of the switch fabric, and in other instances a 
VCP is anchored at the subscriber side of the switch 
fabric. The decision on where to anchor the VCP in 
these instances is based on the traffic patterns between 
the source and destination endpoint nodes, and includes 
such factors as whether the VCs to be multiplexed ter- 
minate on the VCP anchor i^ode, whether all trunk line 
subsystems (TLSs) and subscriber line subsystems 
(SLSs) at the endpoint node have the capability of an- 
choring a VCP, and whether the subscriber data stream 
will pass through the switch fabric not more than once 
(except in the case of local switching). 

The choices of whether to have multiple parallel 
VCPs between endpoint nodes and of where to locate 
the VCP anchor(s) within a particular endpoint node, 65 
are determined by the opportunity to multiplex VCs 
onto the VCP. Periodic rcevaluation is performed 
within the ISN for optimal VCP anchor locations and 
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VC loading (i.c., number of VCs multiplexed). As net- 
work traffic conditions change over time, the invention 
implements adaptive relocation of the VCP anchor to 
the optimal location for those conditions. Each end- 
5 point node is made capable of rerouting VCPs. relocat- 
ing VCP anchors, consolidating VCP anchors, and 
even subdividing a VCP. As the VC load increases 
between a pair of endpoint nodes, multiple SLS- 
anchored VCPs arc consolidated into a single TLS- 
10 anchored VCP which uses the network-wide frame 
launch period. A TLS-anchored VCP may be con- 
verted to an SLS-anchored VCP when the VCP traffic 
load drops to a level in which the payload/header ratio 
of the composite data frames is unacceptably small. An 
existing VCP may be rerouted/reconnected if the exist- 
ing route is not optimal for the network topology or 
traffic conditions. 

According to this aspect of the invention, anchor 
relocation is triggered by cither (1) relocation on de- 
mand, or (2) periodic relocation. In relocation on de- 
mand, anchor location is reevaluated during each VC 
call request from a subscriber. In periodic relocation, 
the relocation occurs at a fixed time or time interval. 
Periodic relocation is somewhat less likely to result in 
thrashing between anchor locations, than relocation on 
demand. 

Accordingly, it is another object of the invention to 
provide methods and systems for adaptive control of 
VCPs in an inte^ted services network designed to 
transmit a multiplicity of traffic component types be- 
tween endpoint nodes of the network within configura- 
ble composite data frames via VCPs established as logi- 
cal connections between pairs of the endpoint nodes. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The above and still further objects, features, aspects 
and attendant advantages of the present invention will 
become apparent from a consideration of the following 
detailed description of a presently preferred method 
and embodiment of the invention, taken in conjunction 
with the accompanying drawings, in which: 

FIG. 1 is a simplified diagram useful for explaining 
some of the basic concepts of the integrated services 
network environment in which systems and methods of 
the present invention may be used; 

FIG. 2 is a simplified block diagram of the basic 
structure of a packet switch useful for implementing 
certain concepts the invention; 

FIG. 3 is a block diagram of a pair of endpoint fast 
packet switches establishing a call connection, useful to 
explain source and destination designations on a VC or 
VCP; 

FIG. 4 is a block diagram illustrating the relationship 
of VCs to VCPs; 

FIG. 5 is a representation of an exemplary composite 
data frame according to the preferred embodiment and 
method of the invention, with, a fixed payload size and 
composition accommodating a plurality of traffic com- 
ponent types; 

FIQ. 6 is a simplified comparison of three different 
packet types, the composite data frame according to the 
preferred embodiment and method of the present inven- 
tion being shown in part (a), and the ATM ceU and 
LAPD frame of the prior art being shown in parts (b) 
and (c), respectively; 

FIG. 7 is a simplified block diagrammatic representa- 
tion of a VCP with synchronous frame latuxching ac- 
cording to the invention; 
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FIG. 8 is a representation of a composite data frame 
which provides an illustrative example of payload size 
for a plurality of highly active subscribers; 

FIG. 9 is a set of exemplary charts iUustrating the 
disposition of bandwidth allocation requests (FRRs) 
under various traffic conditions* i.e., BW grant/reject 
scenarios; 

FIG. 10 is a simplified diagram of a VCP anchor 
EFPS illustrating the launching of composite data 
frames utilizing the preferred frame compression 
method of the invention; 

FIGS. lHa)-(d) are a sequence of frame processing 
diagrams illustrative of the initiation of flow control 
through bandwidth seizing according to the invention; 
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implementation or the algorithms they implement, as 
will be explained presently. 

A logical connection established between two sub- 
scribers of the integrated services network through 
ordinary call set-up procedures is referred to herein as a 
virtual circuit (VC). For example, a VC is established 
between subscribers 11-1 and 12-3 for a call (communi- 
cation session) between the two, and remains in place 
for the duration of that call. To reduce individual call 
processing, a plurality of VCs which share a single 
source-destination EFPS pair may be routed (actually, 
multiplexed) by defining an end-to-end network path 
for them. Each such network path constitutes a single 
physical Imk referred to herein as a virtual circuit path 



FIG. 12 is a block diagram illustrating the technique 15 (VCP). Thus, each VCP defines a logical connection 



for anchoring a VCP in an EFPS; 

FIG. 13 is a block diagram useful for explaining a 
local switching example in VCP anchoring; 
. FIG. 14 is a graph illustrating a hypothetical case of 
the VCP anchoring process in real time; 20 

FIGS, 15 and 16 arc flow charts indicative of the 
processing required for adaptive anchoring of VCPs 
with relocation on request for a channel and release of 
a channel, respectively; 

FIG, 17 is a flow chart illustrating the A bit set-up 25 
procedure for bandwidth seizing; 

FIG. 18 is a table indicating an exemplary link/T-slot 
profile for A bit set-up conditions in conjunction with 
bandwidth seizing; 



between a particular pair of EFPSs such as the EFPS at 
endpoint A and the EFPS at endpoint B, or more specif- 
ically, between the points of VC multiplexing within 
the two EFPSs, in contrast to the logical connection 
between two subscribers defined by a VC* 

A simplified block diagram of the basic switch or 
switching node structure 22 usable for each EFPS or 
TFPS is shown in FIG. 2. The different functionalities 
of the switch 22 are accommodated by the manner in 
which connections are made in the Switching Fabric 
Subsystem (SFS) 24, as will be described presently. SFS 
24, Subscriber Line Subsystem(s) (SLS) 25 and Trunk 
Line Subsystem(s) (TLS) -26 provide the major infra- 
structure of the switch. SLS 25 includes one or more 



FIGS. 19(a) and {b) are flow charts illustrating the B 30 Universal Control Units (UCU) 27 each of which is 



and C bits set-up procedure for frame composition at 
the source node, and the PFC field and payload analysis 
for frame decomposition at the destination node; and 

FIG. 20 is a simplified block diagram illustrating the 
retrieval and delivery of data from the received com- 35 
posite data frames by the destination node. 

DESCRIPTION OF PRESENTLY PREFERRED 
EMBODIMENT AND METHOD 

Referring to FIG, 1, a fast packet switch (FPS) net- 40 
work serving as an integrated services network (ISN) 
10 of a type in which the present invention is employed 
transports multimedia information in data frames or 
packets, each possibly containing a plurality of traffic 
component types. The frames are transported at fast 45 
packet speeds between a pair of subscribers at cndpoints 
of the network, such as endpoints A and B. Network 10 
typically has a multiplicity of cndpoints A, B, Q D, etc., 
each serving a plurality of subscribers, such as 11-1, 
11-2, . . . , 11-n at endpoint A and 12-1, 12-2, . . . , 12-n 50 tion. 



associated with one or more Subscriber Processing 
Units (SPU) 28, and if desired, a Port Multiplexer/Con- 
troller (PMC) (not shown). The SPU(s) 28 and associ- 
ated UCU 27 communicate via a system peripheral bus 
30. The PMC may be used to provide extended multi- 
plexed access and control to SFS 24. 

Each SLS 25 supports system protocols, provides 
access to network subscribers (which, for example, may 
be individual telephone, TI trunk, PBX signal, com- 
puter and/or other devices, lines or signals) on lines 
such as 31, 32, 33 and 34 at the endpoint where switch 
22 is located (if the switch is used in the EFPS mode or 
functionality), and provides the interface to the SFS 24. 
The SPU 28 is implemented to provide access, support 
and control for the designated category of each of the 
subscriber lines, maintain intelligent interface to the 
associated UCU to provide flow control and network 
management functions bidircctionaJly on the peripheral 
bus, and perform all necessary native protocol emula- 



at endpoint B. The actual number of subscribers served 
at the various cndpoints of the network may differ from 
endpoint to endpoint 

According to an aspect of the invention, an endpoint 
fast packet node or switch (EFPS) is located at each 55 
endpoint, and a transit fast packet switch (TFPS, or 
sometimes referred to herein simply as a transit switch) 
is located at each of a multiplicity of intermediates 
nodes such as 13, 14 and 15, of network 10. Each transit 
switch accommodates a plurality of transmission links 60 
or trunks within network 10. Thus, a packet launched 
from endpoint A to endpoint B, for example, may travel 
through trunks 16, 17 and 18 across transit switches 13 
and 14, or, depending upon the traffic conditions, 
through trunks 16, 19, 20 and 18 across transit switches 65 
13, 15 and 14. Each EFPS and TFPS of the network is 
ft packet switch in the form of a communication proces- 
sor, but the EFPS and TFPS differ from one another in 



The UCU 27 is implemented to provide FPS internal 
protocol support in cither of two modes, a tandem mode 
or a stand-alone mode. In the tandem mode, two UCUs 
share responsibility for configurable frame formatting 
and dispatching. Toward that end, the UCU in the SLS 
25 sends subscriber data streams to an associated UCU 
in the TLS 26 for composition of the frame payload. In 
the stand-alone mode, the UCU in the SLS handles the 
entire process. In a sense, the UCU acts as a concentra- 
tor, receiving data from the various subscribers via the 
SPUs, concentrating the data, providing the necessary 
levels of functionality, and presents the data to the 
switching fabric (SFS) for routing to a TLS and subse- 
quent transmission to the external world. 

TLS 26 also has UCU(s) 36, which provides the func- 
tionality described above for the SLSAJCU(s), and 
Trunk Processing Unit(s) (TPU) 37. which provides 
access, support and control for the FPS trunk lines such 
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as 38 and 39, and a physical interface to the associated EFPSs 52. 53. 54 and 55 each of which has a plurality of 
UCU for frame transmission, error detection and cor- subscribers associated with it. Each of the EFPSs has a * 
rection, and synchronization. For example, the data TLS for each ofthc trunk lines (such as 57. 58 and 59 for 
from the SLS 25 is received at the TLS 26 after Uavers- EFPS 54) connected to that EFPS, and SLSs for the 
ing the switching fabric, is collected by the UCU 36, 5 subscribers (such as 61, 62 and 63 for EFPS 54) associ- 
composed in the frame payload and presented to the ated with that EFPS, as described above for FIG. 2. 
TPU 37 for transmission to the next node. EFPS 53 has subscribers 66, 67 and 68 which have 

Several different connection scenarios— SLS to SLS, initiated call requests to subscribers at other endpoints 
or SLS to TLS, or TLS to TLS— in the switching fab- of network 50, sufRcicnt to justify the establishment of 
ric are available (shown in doited lines in FIG. 2) ac- 10 VCPs (EFPS connections) for the VCs (subscriber 
cording to the desired use of the switch. The connection connections). For example, subscriber 66 associated 
of TLS to TLS provides transit switch (TFPS) func- with the latter EFPS has a VC with subscriber 71 of 
tionality. An SLS to TLS connection provides cndpoint EFPS 52, and another VC exists with that same sub- 
node (EFPS) functionality from the subscriber to the scriber 71 and another subscriber at EFPS 53, resulting 
trunk; and SLS to SLS connection provides functional- 15 in the establishment of VCP 80. Subscriber 66 also has 
ity internal to the node from one subscriber to another one VC with a subscriber (74) of EFPS 55. and other 
subscriber. subscribers (67 and 68) of the same originating EFPS 

In the exemplary embodiment each SLS 25 and TLS (53) also have VCs with subscribers (74, 75 and 76) of 
26 supports T1/T3 interfaces because this BW range is the same destination EFPS (55). These VCs sharing a 
more suited to effective implemenution of the compos- 20 common source/destination EFPS pair are multiplexed 
iie frarhe, but other interfaces are not precluded. At onto a single VCP 82. which traverses TFPS 83 (the 
T1/T3. the data stream at the SFS should be^ 1.544 only VCP transit hop in this example), 
mbps (2.048 mbps in European standard). Although the VCP concept itself is not new, the 

It is desirable at times to refer to "source" and *'desti- concept is implemented in a unique and different man- 
nation" or to use other, but analogous, terms to identify 25 ner according to the present invention, with consider- 
the I wo sides of a logical connection— whether in refer- able benefits accruing from establishing VCPs across 
ence to subscriber connections (VCs) or EFPS connec- the integrated services network as a result. The VCP is 
tions (VCPs). The two sides of a connection will also be physically represented by the composite frame which 
referred to sometimes herein as the local side and the can carry many different traffic component types. Traf- 
remote side. At times, the remote side may be the desti- 30 fic is allowed to flow in the form of numerous sub- 
nation side; and at other times, the remote side may be scriber connections (VCs) occupying respective chan- 
the source side. In the architecture for VCPs according nels in composite data frames between many pairs of 
to the present invention, however, the source side of the source and destination EFPSs. Most of the benefits of 
VCP connection is determined (i.e., designated) at the the VCP are enjoyed at the transit nodes (TTFPSs). 
time that the particular VCP is created. 35 including, for example, a many-fold reduction in call 

For example, referring to FIG. 3, a trunk line subsys- setups and call clearings, the specific number depending 
tem (TLS) 40 associated with EFPS 41 is implemented on the ratio of packet processing for call setup/tear- 
and organized to recognize the need to build a VCP down to packet processing for data for transit hops (i.e., 
upon receipt of a number of subscriber connection (VC) between transit nodes) in the network. The VCP con- 
requests destined for the same endpoint EFPS 43, from 40 nection remains in place for traffic— subscriber connec- 
subscribcr line subsystems (SLSs) 44. At that point, tions— between the same pair of EFPSs. and thereby 
TLS 40 initiates a VCP call request (CR) and sends it to eliminates the need for the TFPSs along the VCP to 
the "destination" TLS 45 associated with EFPS 43. If continually setup and tear down connections as VCs 
TLS 45 responds to the CR with a call accept (CA), that connect individual subscribers arc established and 
which will depend upon customary considerations for 45 terminated. A beneficial fallout of this reduction in 
establishing a call, a VCP is established between the processing is that the TFPS need not perform routing, 
two endpoint EFPSs. Because the CR originated from control block allocation/linkage/release, or recor- 
the EFPS 41 side of the connection, that side is thereaf- ding/checking of state information, on a per call basis, 
ter referred to as the "source" side of the VCP, and the Another advantage is that assuming an average of. 
other side— the EFPS 43 side— is termed the "destina- 50 say, ten VCs multiplexed on a single VCP (which is not 
tion" side, of this particular VCP. an inordinate number in this scheme), an order of mag- 

The concept of source and destination sides of the nitude reduction in memory requirements for VC con- 
connection is useful for a variety of reasons. For exam- trol would be enjoyed at each TFPS. A further advan- 
ple, if the connection of interest were to broken inad- tage is that network processing and delay for link and 
vcrtcntly, such as because of a Unk failure, or if re-syn- 53 node failures are reduced by an order of magnitude at 
chronization (discussed below) of the connection (or the transit nodes by virtue of their need to perform 
the entire network) were required, it is desirable— in- reconnect processing only for their respective VCPs, 
deed essential— that one side should be passive and the rather than for every VC that traverses the node, 
other side active. Accordingly, although the source side Although the source and destination EFPSs do not 
is somewhat arbitrarily designated, once that designa- 60 share these benefits directly with the TFPSs, they, too, 
tion is made the source side becomes and remains re- perform less packet processmg than would be the case 
sponsible for all synchronization type activities. Hence, without VCPs. This is because there is no inherait 
whenever an end to end network re-synchronization protocol conversion or packet reformatting associated 
activity is required, the source side of the particular with the VCP scheme. 

VCP connection performs that activity. 65 The advantages of establishing VCPs increase with 

The relationship of VCs to VCPs is illustrated in the increases in the traffic load and with decreases in traffic 
block diagram of FIG. 4. FPS network 50 is an inte- fan-out (i.e,, increases in concentration). As more VCs 
grated services network, and includes a multiplicity of share source/destination EFPS pairs, more VCs can be 
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multiplexed per VCP. Hence, the greatest benefits of 
VCPs are enjoyed on paths of highest traffic concentrat 
tion between endpoint nodes. As will be described pres- 
ently, the present invention provides techniques and 
implementations by which the VCPs may be anchored 
adaptively to different switching nodes of the inte- 
graced services network. 

In fast packet switching networks, a conflict typically 
exists between the requirements of low delay, high 
throughput, and maximum bandwidth utilization. It 
becomes highly desirable to develop a data frame or 
packet format which will resolve the conflict, but the 
prior art schemes have not proved successful in that 
regard. For example, if the frame is small, with a ratio of 
payload size to header size approaching unity, it has a 
good packetization delay in that frames are launched 
relatively quickly, because the payload channel is filled 
rapidly with the subscriber data stream. On the other 
hand, each frame has as much as 50% of its bandwidth 
devoted (i.e., locked) to header information, and the 
balance devoted to the payload, which constitutes very 
poor bandwidth utilization. Also, this type of frame 
format results in a low effective packet switch through- 
put because each frame contains a relatively small 
amount of payload data and a relatively large amount of 25 
header or control information. A large number of 
frames must be switched to transfer any significant 
amount of data since the switch processing time and 
complexity is a function of the size of the header, and is 
not favorably affected by the small size of the payload. 

If the frame is too large, in the sense that the ratio of 
payload size to header size is substantial, packetization 
delay is poor in low speed applications because the 
payload channel takes an inordinate amount of time to 
fill. On the other hand, if such a frame format is utilized 
in short burst applications, the frames will be launched 
with little delay but with a relatively large amount of 
unoccupied space in the payload channel, i.e., the frame 
has a great amount of its bandwidth devoted to unused 
payload, and thus represents poor bandwidth utiliza- 40 
tion. The foregoing and other drawbacks are found in 
the fixed size single subscriber payload frame (or cell) 
proposed by the CCITT ATM standard. The current 
ATM standard is a cell having a payload size of 48 bytes 
and a header size of five bytes. 

The use of a variable size single subscriber payload 
frame also produces a poor result. The X0.25 standard is 
such a frame format, with payload size ranging up to 
4,096 bytes, in addition to header, and suffers from poor 



component types. For example, referring again to net- 
work 10 of FIG. 1, if several subscribers at endpoint A 
are sending data to subscribers at endpoint B during a 
given time inter\'al, the data streams of those endpoint 
A subscribers may be combined in composite data 
frames by the EFPS at endpoint A. These frames are 
then launched to be transported through the network to 
endpoint B for appropriate distribution to the respective 
subscriber destinations. 

In keeping with the previous discussion of source and 
destination labels, although certain subscribers, 
switches or cndpoints may be variously described as 
entry, source or origination, or as exit or destination, or 
by analogous terminology, any of them may (and typi- 
cally will) act as both a source and a destination, in the 
customary sense, in any communication .session(s) 
across the network. In other words, data may flow in 
both directions in any given VC over the course of the 
connection between the two subscribers. However, the 
previously mentioned convention of "source" and "des- 
tination" designations for purposes of the architecture 
of the system continues to apply. 

Referring to FIG. 5, an exemplary composite data 
frame according to the invention has a fixed payload 
size but is composed in a way to accommodate a plural- 
ity of traffic component types. Exemplary composite 
data frame 90 is 192 bytes in length, including a header 
92, payload 93 and frame check sequence (FCS) 94. 
Payload 93 contains the information to be communi- 
cated to subscribers at the destination endpoint. The 
payload is divided into traffic component slots (referred 
to herein as T-slots) 96, 97 and 98, in this example, with 
grouping according to traffic component type (such as 
voice and data here, although other components such as 
video may also be included in a separate T-slot of the 
frame). That is, each T-slot is dedicated to subscriber 
connections of the same traffic component type. In turn, 
each T-slot is subdivided into multiple channels, such as 
the three channels 99, 100 and 101 for T-slot 96. 

According to the preferred embodiment and method 
of the invention, each channel of a T-slot is allocated 
when a subscriber connection is requested, and remains 
dedicated to that single active subscriber connection 
(VC) for the life of the connection. The channel is re- 
45 leased only when the connection is terminated. An 
alternative scheme is to configure and reconfigure the 
data frame with each start and end of a burst, and to 
allocate the channel only for the duration of the burst. 
However, the latter scheme requires more configuring 



30 



35 



bandwidth utilization and switch throughput for short 50 and reconfiguring of the frames and more overhead and 



burst data for the same reasons as those applicable to 
small fixed size payloads. Also, more complex algo- 
rithms are required to handle the worst case delay and 
packet jitter experienced for isochronous services in a 
multimedia network. 55 

The configurable frame format of the system and 
method of the present invention is a distinct improve- 
ment over the fixed size and variable size payload 
frames of the prior art. A preferred method and embodi- 
ment utilizing such a format will now be described for 60 
a suitable high speed data (fast packet) network. 

Only the subscriber data streams at an EFPS which 
are intended to be sent to another, common EFPS of 
the ISN network (or of another network linked to that 
network) may be combined or assembled in the same 65 
composite data frame. It will be understood that in this 
context, the term "data" is used in a broad sense, en- 
compassing data, voice, video and any other traffic 



control information to be transported through the net- 
work than the duration of connection technique. Conse- 
quently, the preferred technique provides a relative 
reduction in packet configuration/reconfiguration and 
bandwidth overhead requirements. An additional ad- 
vantage of the duration of connection technique, 
namely, no loss of data, is realized from the frame com- 
pression mechanism which is another aspect of the in- 
vention, to be described presently. 

In the illustrative example of FIG. 5, payload 93 of 
the composite data frame is assembled from three differ- 
ent traffic component types— 64 kilobit (kb) X0.25 data, 
adaptive pulse code modulation (AD PCM) voice, and 
9.6 kb SDLC (Synchronous Data Link Control) data — 
which are consequently grouped in three T-slots. The 
number of T-slots in the payload of the frame and the 
number of channels per T-slot may be more or less than 
are shown in this example, subject to the limitation of 
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frame length. With the composite framing technique of 
the present invention, each frame may be configured 
and reconfigured according to the transmission needs 
and traffic component types of the various subscribers 
at each EFPS. 

According to a further feature of the system and 
method of the invention, the channel sizes in each com- 
posite data frame (such as that of FIG. 5) are T-sloi 
specific, and this condition exists network-wide, which 
has the advantage of eliminating the need for control 
information to specify channel size. That is, all channels 
of a specific T-sIot type (such as X0.25 data) in all 
frames on all VCPs in the ISN network are of equal 
size, and, because this is a known quantity, the overhead 
(bandwidth) which would otherwise be required to 
designate channel length is eliminated from the frame. 
Selection of channel length is made statically by the 
network administrator, according to the nature of the 
respective traffic component. In the example of FIG. 5, 
the selection of channel sizes for the three T-slots is 
based on a single traffic component type attribute or 
characteristic, namely, the ratio of "subscriber line rate" 
to "packetization delay'*. However, in practice many 
other attributes (such as activity level, burst size, and so 
forth) may be considered. 

Another example of an important attribute for packet 
switched services in the context of the present invention 
is average packet length, because it is desirable to put an 
entire packet into a single channel of the composite data 
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request (for addition of a channel) or release (by dele- 
tion of a channel) is contained in a frame reconfigura- 
tion request (FRR, which will be discussed in greater 
detail presently) issued by the EFPS which is servicing 
the active subscriber fi.c, the subscriber desiring to add 
or to release a channel). An FRR is never issued by a 
TFPS, for reasons which will become apparent in the 
subsequent description of this feature herein. 

The composite data frame payload format, to the 
extent that it is reconfigured (and only upon such recon- 
figuration), is set forth in a delta change template (i.e., 
signifying only the changes from the prior format) 
which is conveyed within a control frame by the local 
anchor EFPS to each of the transit nodes (TFPSs) of 
the VCP and to the remote anchor EFPS. This "pay- 
load format template'* is stored at each of those nodes. 

The composite data frames are composed and decom- 
posed from and to the data streams of the respective 
subscribers, only by the local and remote EFPSs consti- 
20 tuting the anchor nodes for the VCP. and never by the 
TFPSs along the VCP. Each composite data frame has 
a format exemplified by FIG. 5, discussed above. The 
frame format is transparent on the transit nodes except 
during periods of output link congestion 

As described above, during frame composition a ded- 
icated fixed size channel is allocated in the composite 
dau frame payload for each subscriber connection 
(VC) multiplexed onto the VCP. The channels are 
grouped together in T-slots (traffic component types) in 
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the amount of chopping or dissection of the data. For 
example, in an extreme case one packet may be 128 
bytes long and another may be 10,000 bytes long. The 
development of an appropriate compromise is relegated 
to selecting the optimum increment for dividing up the 35 
packet. Another important attribute for isochronous 
and circuit switched services is sensitivity to delay, 
which also dictates buffering and packetization delay. 
For example, if the buffer is very small, it is necessary to 
packetize and ship out the data as soon as it is accumu- 
lated. In those circumstances, the channel size should be 
selected to be as small as practicable, because the larger 
the channel size the more delay is introduced into the 
system. On the other hand, in the case of a variable bit 



frame. If that is not feasible, it is desirable to minimize 30 the payload. Channel sizes may vary from T-slot type to 
*!- -/-^t. ^- ^ . . ^ T-slot type, but are a predefined fixed size for any given 

T-slot type, network-wide. Thus, in FIG. 5. for exam- 
ple, the X0.25 T-slot 96 has three channels 99, 100. 101 
of equal size, each having a 64 bit length. The PCM 
voice T-slot 97 has two channels of equal size, each 
having a 32 bit length. And the SDLC data T-slot 98 
has two channels of equal (16 bit) size. 

Because the channel size for each particular T-slot 
type is the same on a network-wide basis, and is known 
40 throughout the network, it need not by carried within 
each frame as part of the control information, thereby 
conserving bandwidth. Only the T-sIot type, its position 
in the frame, and number of channels need be comrouni- . 
cated in order to provide a complete picture for decom- 
rate source, there is a probability of overflow of the 45 position of the frame at the destination VCP. The prin- 
internal buffers. If the channel is too small, the probabil- cipal criteria for setting channel size are (I) subscriber 
ity of buffer overflow is high, and with each overflow interface speed and (2) activity level of the T-slot type, 
some data is lost. It is necessary in those circumstances In the preferred embodiment, the header size is a mini- 
to increase the buffer or the channel size. In the case of mum of 5 bytes in a composite data frame maximum 
the channel the frame compression mechanism of the 50 length of 192 bytes. 

present invention is available, but in the case of the The composite data frame format in general, and the 
buffer there is underutilization which, nevertheless, is payload format in particular, provide a number of bene- 
acceptable with a variable bit rate source because al- fits when compared to other payload formats such as 
though infrequent, the buffer can be filled quickly when fixed size single subscriber payload format and variable, 
high speed (bit rate) data is being received at the buffer. 55 size single subscriber payload format. One benefit is 
For the variable bit rate source, one attribute is the related to the traditional capability of network subscrih- 
probability of overflowing the buffer or channel. crs to optimize resources by performing multi-subscri- 

According to an aspect of the invention, each VCP of ber multiplexing outside the network, for example, by 
the ISN network has an autonomous composite data installing a control unit between the network and a 
frame format which is defined and managed by the 60 cluster of 3270 terminals. This type of optimization is 



anchoring EFPSs at the source side and the destination 
side of the respective VCP. That is, each VCP has only 
one frame format associated with it at any given time. 
The frame format may be set permanently at the time 
that the frame is configured; or it may be reconfigured 
dynamically by either of the EFPSs anchoring the VCP 
upon detection of a subscriber connection (VC) request 
or release, which is the preferred scheme. The VC 



extended by the network, by means of the configurable 
frame format, across dissimilar devices and traffic com- 
ponents provided that they share the same source/desti- 
nation EFPS pair. Moreover, the shared payload 
65 scheme of the invention possesses advantages over tra- 
ditional packet network multiplexing schemes. One 
such advantage is the capability to improve bandwidth 
utilization by providing a larger payload size to header 
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size ratio without the normal packetization delay. An- bandwidth and optimize bandwidth usage. This tech- 
other is that the effective switch throughput is increased nique will be discussed in detail below, but for the prcs- 
by carrying the subscriber data streams with larger ent it is only necessary to briefly mention some aspects 
payloads, in that for a given volume of subscriber data, of the PFC field. 

throughput is more a factor of frame count than frame 5 The PFC field of FIG. 6(fl) has three types of bits for 

size. For example, considerably more processing is re- each T-slot: a single A bit for flow control, and a single 

quired for one thousand 100-byte packets than for one B bit and a number of C bits equal to the number of 

hundred 1 ,OCX)-byte packets, channels in the T-slot, the C and B bits bemg referred to 

By configuring the VCP composite data frames with herein as "presence" bits. The A bit is used by ainy 

many very small channels (e.g., 2 bytes), to create the 10 TFPS or anchor EFPS of the VCP to inform the TLS 

illusion of a continuous bit stream with no packet jitter. or SLS therein of the requirement and severity of flow 

the packet switched network assumes the circuit control. For example, A=l indicates that flow control 

switched network characteristics of enhanced transmis- is required; whereas A=0 indicates that no flow control 

sion quality. Thereby, the configurable composite data is required. The B bit is used by the VCP anchors to 

frame may be used as part of a circuit/packet switch 15 indicate an absence of all channels associated with this 

hybrid product. The frame may also be configured to T-slot in the composite data frame (i.e., that the frame is 

accommodate ATM schemes and large payload fast compressed). For example, if B=l the T-slot identified 

packet switch schemes. by that bit is present, and if B=0 the T-slot is not pres- 

The composite data frame header fields are function- ent (i.e., all of the channels associated with that T-slot 

ally analogous to header fields in ATM cells and LAPD 20 are absent). The C bits are associated with the respec- 

(link access procedure) frames, the major differences tivc channels of the T-slot, one bit per channel, and are 

being in format to reflect the requirements of an end-to- used by the VCP anchors to indicate frame compression 

end protocol in contrast to the interface protocols ad- (absence of the channel) attributable to either subscriber 

dressed by standards of the latter two packet types. inactivity or flow control. For example, if C=l the 

FIG. 6 presents a simplified comparison of the three 25 channel identified by that bit in that specific T-slot is 

packet types, with the composite data frame for the present, and if C=0 that channel is not present in the 

preferred embodiment of the present invention shown T-slot. 

in part (a), and the ATM cell and LAPD frame of the It follows that if, for example, a frame has three T- 

prior art shown in parts (b) and (c), respectively. slots and four channels in each T-slot, the PFC field 

Referring to FIG. 6{a), the FT-AG field is a frame 30 would contain three A bits, three B bits and twelve C 

delimiting flag required for synchronization because of bits (positioned in the sequence A, B, C for each T-slot 

the variable frame lengths. The trailer flag of a preced- as shown in FIG. 6(a)). If B=0 for a particular T-slot, 

ing frame may act as the preamble flag of the next none of its associated C bits are carried in the field; i.e., 

frame. The PT (payload type) field identifies the frame if a T-slot is not present, none of the channels associated 

type, i.e., a data frame or one of the defined control 35 with that T-slot is present in the data frame, and no 

frames. This is unlike the ATM cell header PT field bandwidth need be allocated in the payload for the 

(FIG. 6{b)) in the following respects: (1) in the data corresponding channels, 

frame of the present invention, the PT field precedes the Thus, the PFC bits provide a complete picture of the 
VPI (virtual path ID) field because both will be consid- state of flow control required for the respective T-slot 
crcd simultaneously for switching purposes and the PT 40 at the network nodes traversed by the particular VCP. 
field has higher precedence; and (b) the PT field is This control information is built into the frame header 
larger than the ATM cell PT field because of the added by the source EFPS during frame composition, and 
control frame types required by the internal protocol. neither the transit switches on that VCP nor the destina- 
The VPI field of the composite data frame has local tion EFPS for that frame can modify the B and C bits, 
input/output link significance. Two bytes allow for up 45 However, each FPS (TFPS or EFPS) can change the 
to 64,CXX) possible VCPs to traverse a given link — a value of the A bit to trigger flow control, when neces- 
worst case which allows for maximum utilization of a sary. In essence, the B and C bits are used during frame 
T3 link with an average VCP activity level of only 700 decomposition to communicate whether there is frame 
bits per second (45 mbps/64 k VCPs =700 bps per compression as a result of the absence of the associated 
VCP). The VER (version number of the data frame) 50 T-slot or a channel thereof, either because of inactivity 
field provides the version number which is needed for of the respective subscriber(s) or because of flow con- 
synchronization because the payload format is dynami- trol. 

cally modifiable via VCP control frames. The VCP The PFC field of the composite data frame header is 

source and destination anchors (EFPSs) have a one bit immediately followed by the payload, which is fol- 

version number to toggle for this purpose. 55 lowed by an FCS (frame check sequence). Just as in the 

A significant feature of the composite data frame of case of the FCS of the LAPD frame of FIG. 6(c), this 

the present invention which serves, in part, to distin- FCS applies to the entire frame. The ATM HEC 

guish it from frames, packets or cells of the prior art (header error check) field of FIG. 6{b) is analogous to a 

(whether those shown in FIG. 6(6) and (c) or other- frame check sequence, but applies only to the header, 
wise), is the PFC field. In the composite data frame of 60 Application of a check sequence to the entire frame is 

FIG. 6(a) this field provides prioritized flow control desirable because it provides an additional level of net- 

(PFC). It wiU be observed that the ATM cell has a PFC work integrity through payload error detection. In this 

(priority fairness control) field as the initial field m its r^ect, it is also noteworUiy that ATM is targeted for 

header which, however, is understood thus far to be 100% fiber optic networks which have very low bit 
undefined by CCITT. According to the present inven- 65 error rates. The composite data frame FCS in the pre- 

tion, prioritized flow control as encompassed by the ferred embodiment of the invention is only one byte 

PFC field of composite data frame header is used for the long compared to the two byie LAPD FCS, but never- 

purpose of providing frame compression, to conserve theless provides a comparatively high level of integrity 
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because of the maximum frame length of 192 bytes kb/lOCX)=64 bits=8 bytes). A two ms frame launch 

versus 4,096 bytes for the LAPD frame, network would require double the optimal channel siie 

For ATM, the cell (packet) payload is a single chan- for a given T-slot (e.g., 64 kb PCM voice T-slot can fill 

nel of fixed size as shown in FIG. 6 (b\ and successive a 16-byte channel in two ms). Thus, the frame launch 

ceUs are launched asynchronously only after the sub- 5 time should be optimized for the T-slot types intended 

scriber data stream has filled the chamiel. A feature of to be transported by the particular ISN network, 

the system and method of the present invention is that A decision as to whether to send a partially filled 

the composite data frames are launched synchronously. channel or to delay until the next frame launch will 

This is a departure from conventional principles of depend on the attributes of the T-sIot type to which that 

circuit switched networks, which are invariably syn- 10 decision applies. In any event, the PFC field in the 

chronous, and packet switched networks, which are header of each composite data frame will signify any 

invariably asynchronous. The synchronous frame channel omission, and thus frame compression that may 

launching further enhances the performance character- be present, with an elimination of otherwise wasted 

isticsofthe packet switched network (beyond enhance- bandwidth. 

mcnt obtained from other features of the invention, such 15 The composite data frame format scheme and syn- 
as the use of a frame with many relatively small chan- chronous frame launch scheme have a certain depen- 
ncls), to provide improved transmission quality compa- dency, and consequently, overlapping benefits such as 
rable to that of circuit switched networks, while retain- virtual elimination of one of the two major "quality of 
ing the bandwidth savings advantage of packet switch- service" differences between packet and circuit 
ing. Isochronous services such as voice and video are 20 switched networks, namely, packetization delay. (The 
provided with near circuit switching quality jitter and other, bandwidth reservation, will be discussed pres- 
delay characteristics by employing this combination of ently). Various other benefits accrue in the packet 
fixed short time interval packetization and synchronous switched ISN from the use of synchronous frame 
frame launching onto the ISN network. Synchronous launching. One is a substantial reduction in packet jitter 
frame launching also permits fixed size channels on a 25 for isochronous services subscribers. Major contribu- 
"per T-slot" basis, and consequent elimination of any tors of packet jitter and packetization delay in prior art 
need to transmit channel length control information for techniques are (i) variable sized packets and/or indeter- 
purposes of frame decomposition. minate "packet launch times" attempting to fully utilize 
A simplified* block diagrammatic representation of a a fixed size frame, and (ii) long periods of subscriber 
VCP with synchronous frame launching is shown in 30 data buffering in an attempt to improve header sizc/- 
FIG. 7. EFPSs 111 and 112 anchoring VCP 113 are payload size ratio. Among solutions which have been 
responsible for frame composition/decomposition at proposed in the prior art to alleviate these problems arc 
their respective erdpoints. Each of those EFPSs com- the use of (i) partially filled ATM cells (less than 50% 
poses and transmits a composite data frame (x and y, bandwidth utilization for PCM voice); (ii) echo cancel- 
respectively) toward the remote EFPS anchor (112 and 35 laiion equipment at each subscriber port; and/or (iii) 
111 as the case may be, in this example) at a fixed time packet payload sharing among several subscribers. The 
interval relative to the last frame launching and to the present invention utilizes a variation of the latter tech- 
next frame launching. This time interval, which is syn- nique in one of its aspects, in a manner which is a con- 
onymous with packetization delay, is configurable on a siderable improvement from standpoints of simplicity 
network-wide basis, and may be, say, one or two milli- 40 and effectiveness, over the specific solutions heretofore 
seconds (ms) in length. In the preferred embodiment, a proposed. 

launch interval of one ms is used throughout the net- . Among other benefits obtained from the use of syn- 

work for synchronous frame launching. As a conse- chronous frame launching in the ISN FPS network of 

quence of this net work- wide synchronous frame the invention are a reduced occurrence of partially 

launching, the launch interval information is known at 45 empty payloads as a result of smaller payload channels, 

each switch along the VCP, whether TFPS or EFPS. with an attendant improvement in bandwidth utiliza- 

The only additional information which is required for tion; and the capability to accurately calculate worst 

frame decomposition at the remote EFPS is the number case traffic spikes at the transit nodes as a result of a 

of channels allocated in the frame and the traffic com- fixed frame launch period in conjunction with a fixed 

ponent type of each channel. This not only simplifies 50 channel size, which allows better management of band- 

the decomposition process, but, by reducing the amount width reservation and allocation. Also, network frame 

of control information which must be carried in the loss has significantly less impact on isochronous ser- 

frame, results in a significant saving of bandwidth. vices subscribers, because of the smaller channel sizes. 

An EFPS, or more precisely the point of multiplexing The advantages of synchronous frame launching in 

within the EFPS, may anchor more than one VCP. 55 the ISN network are greatest when multiple subscribers 

However, for each VCP established as a logical conncc- actively share each VCP. so that the payload channel 

tion between a pair of EFPSs, there is a one-to-one count 0.e., payload size) is sufRcientiy large to maintain 

coupling with the composite data frame transported on a good ratio of payload size to header size while using 

it. In the example of FIG. 7, EFPS 111 launches com- a relatively short launch time interval. An example of a 

posite data frame x+I one ms after frame x was 60 payload size resulting from six "highly active** 64 kb 

launched. Similarly, the other anchor for this VCP, subscribers is illustrated in FIG. 8. The network-wide 

EFPS 112 launches composite data frame y+ 1 one ms frame launch time is one ms in this example. T*slot 1 is 

after frame y. The channels in each frame payload con- 64 kb transparent circuit mode voice, and has four chan- 

tain subscriber data which was accumulated during the nels (one for each of these voice subscribers). T-slot 2 is 

one ms since the last frame was launched from that 65 composed of a 64 kb subscriber frame relayed data 
EFPS. For example. 8 bytes is the maximum amount of stream, with two channels (one for each of those data 

data which can be accumulated for a 64 kb PCM voice subscribers). It should be noted that, in this example, 

subscriber in a one ms frame launch network (64 although all of the subscribers* data streams have the 
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same Speed (64 kb), and the channel size for both of the 
two T-slois is the same (8 bytes), the payload contains 
two different trafTic component types, i.e., (1) voice and 
(2) frame relayed data. The VCP on which this compos- 
ite data frame is transported is capable of fully utilizing 5 
the frame with an overall header and payload size equal 
to that of an ATM cell, and a ratio of payload size to 
header size of approximately ten, while complying with 
only a one ms packetization delay. 

In systems of the present invention, multi-media traf- 10 
fic integration with predictable service quality and 
transmission facility economy is provided with minimal 
network management system (NMS) configuration and 
intervention activity. Bandwidth management intelli- 
gence is provided by the FPS network itself. The NMS 15 
parameters include network-wide configurable parame- 
ters and transmission link specific parameters. The net- 
work-wide parameters, which permit traffic-driven 
specification of the network, complete control of the 
trade-off between quality of service (on a per-T-slot 
basis) and transmission facility utilization, and prioriti- 
zation by T-slot, include those listed in Table I, below. 
T-slot type channel sizes are indicated in Table II. 
Rather than designating a particular traffic component 
with a priority level for all of its attributes, it may be 
desirable, and is preferred in the embodiment and 
method of the invention described herein, that a priority 
level be assigned for each different attribute of the traf- 
fic component (including attributes such as delay sensi- 
tivity, loss tolerance, activity level, burst size, average 
packet length, probability of buffer or channel over- 
flow, etc.). Priority is used during flow control/conges- 
tion situations to determine which traffic components 
should be call blocked and/or put in a degraded service 
mode. 

The NMS transmission link specific parameters allow 
the NMS to divide the network into autonomous ser- 
vice points/regions, and to control at each point (during 
peak traffic loads) the quality of service on a per T-slot 
. type basis. These parameters include link utilization 
threshold and T-slot bandwidth allocation profile, the 
latter including T-slot minimum guaranteed bandwidth, 
T-slot maximiun allowable bandwidth, and call block 
threshold, listed in Tables III and IV, respectively, 
below. All values set forth in these tables arc presented 
for the sake of example only. 

TABLE I 
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TABLE I-continued 



Name 



Range Defau)i Commem/Defauh Rationale 



T-sloi type 
channel size 



••see 

Table 



* Vtlut directly impam channel size of each Tnlot lype. Ai launch linie increases, 
channel ore can increase wiih full payload titilizaiion. The iradf-off is increased 
nacketizatioo deity. 

hf a sourcc/dcsdnaiioD EFPS pair musi c«rr> more T-sIots or chanoeh simuha- 
neously, addl. VCPs may be set up between the pair. 

^Smali enough to manage max picket size in a tingle bofTer throughout system Ond. 
switch fabric). European group prefers 32-bytc "channels", while other cxiremc 
advocates 60O-byie "channels" 



TABLE II 


T-SLOT TYPE CHANNEL SIZES^ 


T-slot 


T-slot 


Channel Siie 


(priority)^ 


Description 


(No. of Bytes) 


0 


low scan video 


75 


1 


ADPCM voice (32 kb) 


4 


2 


64 kb packet data 


S 

f 









*T-sJot descriptions arjd channel size values are exemplary- only. 

^Prioriiy is used during flow control/congestion situations lo determine which 

trafTic components should be call blocked and/or put in a dreaded service mode. 



TABLE III 



LINK UTILIZATION THRESHOLD 
Level Threshold 



5091: 
90% 



35 



Each increasing threshold affects one or a range of T-slot t>'pe* u-ith higher priority. 
-Threshold** is a measure of actual (current) bit usage as a percentage of link bii rate 
(i.e-, 730 kbps actual on 1.3 mbps link = 509f threshold The cfTectivc bit rate 
(amount of subscriber dau transmitted) b less than or equal to actual bit usage, 
because of header fields and partially empty pay loads. 



TABLE IV 
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Name 


Range 


Default 


Comment/Default Rationale 


max frame 


16-192 


192 


Preferred FPS network BW 


size 


(bytes) 




manager for optimizing 


frame 


1-5 


1 ms 


Shortest interval permit' 


launch 


ms 




ting adequately large chan- 


interval 






nels to be fully utilized' 


max T- 


1-5 


42 


More would Ibad to exces- 


slots per 






sively large PFC field, and 


frame 






ctmtbersome congestion pro- 
cessing on transit nodes 


max 


1-30 


20 


Default vahte based on Tl & 


channels 






T3 trunks, w/low-end suh- 


per 






scribcT rate of 64 kb (i.e. 


frame 






channel size 6 to 8 bytes) 


min 


2-187 


2 


Allows full channel utili- 


diannel 


(bytes) 




zation down to 16 kb sub- 


size 




scriber w/o •*sub-roultt- 
plcxing outside network 


max 


2-187 


187 


Good compromise between 


channel 


(bytes) 




memory mgmt limitations & 


size 






industry optimal sizc?^ 


max T-sIot , 


1-32 


16 


Consistent with ATM stand* 


types 






dard of 16 priority levels 


nTwk'Wide 













Min Guaranteed 




Call Block Threshold 




T-slot 


BW (as % of 


Max Allow- 


(Link Utilization 




Type 


link bit rate) 


able BW 


Threshold) 




0 


10% 


30% 


4 


45 


1 


20% 


30% 


1 


2 


10% 


30% 


1 




3 


30% 


30% 


2 


50 


31 












Toul < max 










link utilization 










threshold value 







55 



60 



Notes to Table IV: 

A T-slot type may exceed its maxbnuni guarmntccd bsndwtdih dorins low trafnc 
conditions, but the FPS can leite back (by flow centred and call blocking, to be 
explained in more detail below) all of the bandwidth exceediog the amumum * 
guaranteed le\'el. Seizing proceeds on a schedule oflowest priofity fim. 
By setting values for min guaranteed BW ud maa allowable BW close together, the 
NMS can ensure the quality and predict^ttity of aeivice to the T-dot because this 
assures thai BW will nvt be leized away and redistriboted to another T-<loi type. 
Setting the values far apart allows delay-ittsciaitive T>slot types to Tar exceed their 
mia guaranteed BW. with the risk oT (low control delay if traffic k»d tncreasca fmm 
other T-sJots. 

Cdl block threshold a m tncasuremeot oT total BW in we by all T-ctot types on the 
link, h is not eaibrccd (not relevant) unless the request for BW b by a T-slot type 
whose minimum guaianleed BW ts afready exceeded. The purpose of this parameter 
b to altow the NMS to reserve BW for high priority T*slot lypea. even when they 
are inactive, by blocking lower priority T-sJots. Such configuration may be used to 
prevent BW allocation policy thrashing • where BW is constantly redisiribuied 
63 among several oiateoding Tsloi types. 

Another key aspect of systems according to the in- 
vention is that within the framework of the NMS con- 
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figuration parameters, the ISN FPS network policies 
maximize effective link throughput by providing on- 
demand bandwidth distribution/redistribution among 
T-siot types while generating minimal control informa- 
tion traffic. Toward that end, the SPU of the SLS (de- 5 
scribed in conjunction with FIG. 2 above) supports the 
native protocol, and reserves bandwidth on the VCP by 
requesting a channel of the appropriate T-slot type from 
the local VCP anchor (EFPS). In a request for band- 
width, the SPU requests or releases the associated VCP 10 
channel upon receipt of a connection request (call re- 
quest) or connection release (call release) from the sub- 
scriber to which that channel is allocated. In the pre- 
ferred embodiment, for at least some T-slot types with a 
high volume of short duration connections to the same 15 
destination, the SPU will hold a pool of channels on the 
VCP and request/release channels on the basis of the 
current number of active calls on those channels within 
a predetermined high/low threshold, rather than on a 
per subscriber call basis. This type of multiplexing is ^0 
transparent to the system protocol, -which views each 
channel as a single, indivisible subscriber entity. 

Referring back to FIG. 2, the SPU such as 28 selects 
the desired VCP for the request/release based on a 
suitable FPS routing algorithm stored in the switch in 
which the SPU is located. If the current VCP has 
reached its maximum size, or if there is no VCP to the 
desired destination EFPS, a new VCP is sought to be 
established by the local anchor EFPS. The SPU chan- 
nel requests are sent to the TLS 26 anchoring the VCP. 
Channel requests/releases are initiated only at the VCP 
anchor EFPSs. but TFPSs along the VCP may reject 
requests based on link trafiic conditions and based on 
the NMS transmission link specific parameters de- 
scribed in connection with Tables III and IV above. 

In the processing of bandwidth requests, for each 
channel request/release by the SPU, the associated 
local VCP anchor EFPS builds and launches a compos- 
ite data frame reconfiguration request (FRR) control 
frame. When multiple reconfiguration requests for a 
VCP are received by the TLS during a single frame 
launch period, all of those requests are combined into a 
single FRR control frame. In response to receipt of the 
FRR control frame (or simply, FRR) each successive 
TFPS on the VCP and the remote anchor EFPS, in 
turn, will either (i) reserve the requested bandwidth and 
relay the FRR to the next node (transit or endpoint, as 
the case may be), or (ii) send a rejection (i.e., refusal to 
reserve the requested bandwidth) back to the original- 
ing anchor, depending on trafiic conditions and the 
NMS parameters then existing at that node. 

The volume of such FRR traffic on a VCP is a func- 
tion of the number of T-slot types on the VCP and the 
number of channels per T-slot. Table V below illus- 
trates two exemplary VCP traffic profiles and the cor- 
responding amount of FRR traffic generated thereby 
(in number of composite data frames per FRR control 
frame). 

TABLE V6.7 
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40 



Example 1: 

VCP trafiic = 10 PCM voice connections 

Result: avg time between reconfiguraiions = 6 sees 

= I per 6,000 data frames 

(steady stale requires avg turnover 

of 5 callers every 60 sees) 

composite data frame pay load size =s SO bytes 

(ten 8-byie channels) 

Ejtaropk 2: 



VCP traffic = 5 facsimDe connections and 10 E-mail 
connections 

Result: avg lime between reconfigurations = 4 sees 
= 1 per 4.000 data frames 

*FoJto»-ing asstimpitaiu tppiyi 

c»ch cill requires iwo conflf untiora (chvuiel request/release) 

aef«*ork frame lao&cb period « I nu 

PCM voice average call doraiion = 130 tecondi 

Fax call duration <= eo seconds 

E-cnail call duraiioo ^ 240 seconds 

^Examples given arc for ncady lUte irafTic loads. Manner in which loads arc 
achieved n irrcle^'ant to Ulusiraiiog tre<iueocy of composite dau frame recoafigora- 
don. (steady Oatc requires avg tamover of 5 fax and E-maB cxlten every 60 tecs) 

In processing an FRR request rejection (call block- 
ing), the SPU is given the capability to reroute the 
requested channel or bandwidth on the existing VCP by 
means of a routing algorithm* or to request that a new 
VCP be established by the local anchor EFPS, in the 
same way as discussed above. 

Each node on a VCP (both the anchoring EFPSs and 
the TFPSs on the VCP) individually makes a determi- 
nation of whether to grant an incoming FRR. This is 
accomplished by analysis at the respective node of (i) 
the current bandwidth usage profile of the local output 
trunk line; (ii) the values of the NMS bandwidth config- 
uration parameters; and (iii) the requested redistribution 
of bandwidth. Such analysis is performed only in re- 
sponse to an FRR requesting additional bandwidth, i.e., 
a T-slot channel request. Because principles of band- 
width conservation and maximum utilization are para- 
mount in the system, FRR requests to release band- 
width, i.e., T-slot channel releases, are responded to by 
an automatic grant of the FRR. 

The bandwidth allocation rules (algorithm) utilized in 
the presently preferred embodiment of the system and 
method of the invention are as follows; 

A request for bandwidth is granted to an SPU only if 
each node on the VCP "agrees to it". Thus, both of the 
VCP anchor EFPSs and all of the TFPSs along the 
VCP have the ability to block the request. 

A VCP node will grant a request for bandwidth if the 
local output link of the VCP meets the following 
criteria/algorithm 8; 

1) total BW in use < maximum utilization threshold; 

2) requested T-slot type BW usage < max allowable 
BW usage for this T-slot type; and 

3) requested T-slot type current BW usage <min 
guaranteed BW for this T-slot type, or total re- 
served BW on ink < requested T-slot type call 
block threshold. 

^ The algoiilhm uses NMS transmission link specific parametcjv dis- 
cussed above. It should be observed that the bandwidth rules arc based 
on the link profile which is in aggregate of all VCPs traversing the 
link— in contrui to bandwidth requests from an SPU, which are VCP 
specific. 

FIG. 9 illustrates examples of bandwidth allocation 
requests (FRRs) tinder various traffic conditions, i.e., 
BW grant/reject scenarios. Assumptions used for each 
case are as follows: 

The link threshold utilization table is 



60 



65 



level 


threshold 


1 


50% 


2 


63% 


3 


80% 



The link specific parameters for the T-sloi type of the 
channel requested are: 
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Throttling 


Scope 


Impaci 




zaikm level only 


existing calls is degraded 




(pnoriitzed) 


no data dropped by network 


3) frame 


indtscriminant 


call blocking, all T-slots 


discard 


(all T-slot types) 


dau is discarded without 




occurs during 


consideration of T>$Iot 




tink transmit 


type or priority 




queue congestion 
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minimum guaranteed BW = 20% TABLE Vl-continued 

maximum allowable BW=SO% 

call block threshold level =2 (65%) 

In each of the four scenarios of FIG. 9, the incoming 

FRR is a request for additional bandwidth on a link of 3 
the VCP for the node addressing the request. In the case 
represented by FIG. 9(fl), the FRR is rejected by the 
node because the maximum link utilization threshold is 
80% (this "threshold", is the measurement of actual bit 
usage as a percentage of link bit rate, or current band- 10 

width used), and here, only 20% of the available (unal- The bandwidth seiang process is unplemented ac- 

located) BW remains on the Unk. Hence, the link utUiza- cording to the following algorithm. A given T-slot type 

tion is currently at the maximum threshold (for this channel will be allocated on a VCP at the expense of 

link), and in that situation no T-slot requests are granted seizing bandwidth from other T-slot types jf: 

if to do so would cause the minimum guaranteed band- 15 (1) BW reserved for the requestmg T-s ot 

width to be exceeded for the requesting T-slot type. type<minimum guaranteed BW for this T-slot 

Here, the minimum guaranteed BW for the latter is ~ type; and 

20%. and the percentage of BW allocated to channels of (2) I'lk utdization level is at or above the maximum 

the latter is 25%. Therefore, the request is rejected 

(denied), even though the current allocated BW is less 20 The NMS transmission hnk specific parameters may 
than the maximum allowable BW for the requesting be configured so that when two or more T-slot types 
T slot type exceed their minimum guaranteed bandwidth, one can 
'in the situation represented by FIG. 9(6). the FRR is continue requesting more bandwidth at the expense of 
rejected because the requesting T-slot type has already . tnggenng call blockmg on the other T-slot type(s). This 
reached its maximum allowable BW (50%). In FIG. 25 is achievable by setting that T^lot s threshold and maxi- 
9(c). the FRR is rejected because the current BW usage m"™ allowable BW to higher values. However, an 
on the hnk is at the call block threshold level (measure- FRR by one T-slot type will not be granted at the ex- 
ment of total BW in use by all T-slot types on the link, pense of bandwidth seizing unless the requesting T;^ot 
here 65%, and which is the same as the link utilization type is below its mmimum guaranteed BW level. This 
threshold level), and the requesting T-slot type has 30 rule is implemented m the system of the invention be- 
already exceeded its minimum guaranteed BW. cause bandwidth seizmg results m degraded service for 

In the scenario of FIG. 9(d). the FRR is granted by ^rtsiiy established connections, 
the node. Here, even though the link is at its maximum The present mvention utilizes a technique of frame 
utilization threshold (80%), the requesting T-slot type is compression for building and formatting the composite 
below its minimum guaranteed BW (10% versus 20%). 35" data framw. which, together wnth BW seizing, repre- 
Since the other 70% of BW up to the maximum uliliza- sents a difference in kind from the bandwidth conten- 
tion threshold is currently allocated to channels of other tion technique taught by the 886 Patent and from other 
T-slot types, bandwidth seizing (to be discussed in schemes taught by the pnor art. For example, rather 
greater detail presently herein) will be triggered. than having each burst on a subscnbcr connection con- 
The bandwidth allocation in response to FRRs has an « tend for one of the statically allocated channels withm 
impact on other T-slot types. That is, when channel the packet payload. according to this aspect of the m- 
requests for a "dormant" T-slot type begin increasing vention any unused bandwidth is compressed com- 
(up to its minimum guaranteed BW), the total link activ- pletely out of the frame being launched. If a subscriber 
ity level may push other T-slot types, which are highly connection has daU to send, it can fiU its respective 
active, over their call block threshold. In that case, call « T-slot channel(s) on the next outgoing composite data 
blocking will be initiated on those other T-sloi types. f«me bemg built for launching on the VCP. However, 
even though their respective activity levels on the link if the subscriber connection has no data to send at the 
is not increasing. CaU blocking wUl continue until the time the frame is bemg composed, the local anchor 
reserved BW of the other T-slot types falls to their EFPS simply compresses the frame by completely rc- 
respective minimum guaranteed BW levels. Call block- 50 movmg that channel. , , ^ ^ ^ 
ing (and BW seizing) will, however, take T-slot type This frame compression scheme unlocks bandwidth 
priority level (gleaned from the PFC Held) into ac- consumed by empty or partially empty payloads uAer- 
conm. so that the T-slot types of lower priority are ent in fued size payload protocols such as ATM. The 
"bumped" from their excess BW before the T-slot types ISN network of the present invenuon utilizes a hybnd 
of hi^er priority 55 protocol in that the composite data frames are of van- 
Table VI below Ulusttates subscriber traffic throt- aWe rather than f«ed length, but thejshannels within 
tling techniques for composite data frame bandwidth the frame are of fixed size on a per T-slot type basis, 
management on trunk lines Ginks), and the relationship Locked bandwidth cannot be used for transporting 
between call blocking and other traffic throttling tech- subscriber data, nor is it even avaUable to the subscnber 
jjjnygj 60 data stream. It consists of (i) bandwidth consumed by 

framing overhead (header and trailer), GO a partially 

TABLE VI empty frame payload, Gii) transmission link control 

Thfoiiiing Scope Impact signalling, and (iv) network control signalling. The 

Dcaii per T-dot basis - no new connections granted relatively small channel sizes in the composite data 

blocking at T.sloi specific quality of service to 6S frame of the invention, compared to the prior art ISDN 

link oiiiiration oisiing connections not jj, j jj^ schemes, minimize fixed size payload utiliza- 

2)BW ^rCSlSf? SttJlking tion sensitivity to traffic characteristics (c.g., burst/, 

seizing <t max link utfli- quality of service to block size and frequency). The frame compression tech- 
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nique and the structure of the composite frame tend to 
drive the ratio of effective bandwidth utilization 
(EBW), i.e., the percentage of BW consumed by the 
subscriber data stream, to actual bandwidth utilization 
(ABW), i.e., the sum of the percentage of BW con- 5 
sumed by the subscriber data stream plus the percentage 
of locked bandwidth, toward the ideal ratio of EBW- 
/ABW=1. 

Frame compression eliminates two causes of partially 
empty payloads, viz., (1) an empty channel attributable 10 
to the subscriber having been idle during the last frame 
launch period, and/or (2) the T-slot type for the chan- 
nel in question is undergoing flow control on this VCP. 
The scheme results in omission of empty channels from 
the composite data frames; in effect, the frame is **col- 15 
lapsed'* before ii is launched. Neither additional control 
signalling between nodes on the VCP nor frame recon- 
figuration is required for frame compression. 

In performing the preferred method of frame com- 
pression, no space is allocated for a channel by the VCP 20 
anchor EFPS during frame composition unless the asso- 
ciated SPU has posted a cell as being ready for transmis- 
sion. In this context, •*cen" refers to a unit of subscriber 
data that the SPU places in a predefmed memory loca- 
tion ("bucket") which is checked by the anchor EFPS 25 
during the next frame launch. That cell will be included 
by the EFPS in the next frame if the SPU has posted 
(flagged) it as being ready. The size of the cell is equal 
to the size of the channel for the T-slot (traffic compo- 
nent) type of the particular subscriber. If a partial cell is 30 
posted, the EFPS will include and launch it in the ne^tt 
data frame, resulting in a partially filled channel. How- 
ever, depending on the traffic characteristics of the 
particular traffic component type, such as delay insensi- 
tivity, the SPU may elect not to post a partial cell in the 35 
expectation that it may be fUled during the next frame 
launch period. 

If the SPU has not posted a cell for a particular sub- 
scriber, the anchor EFPS notes the absence of a flag for 
the bucket and sets the PFC field bit associated with the 40 
channel allocated to that subscriber (the respective *'C" 
bit) to "not present" (i.e., C=0). In an alternative em- 
bodiment and method, if a specilFic T-slot type were not 
required to have **per channel" PFC bits (i.e., C bits), so 
that frame compression were not performed on a per 45 
channel basis, it would be performed on the basis that 
either all of the channels are present or none is present, 
as indicated by the "per T-slot" presence bit (i.e., the 
*'B" bit) in the PFC field. In this respect, it should be 
noted that for T-slot types with very small channels 50 
and/or highly active subscribers, per channel frame 
compression is less effective from a bandwidth or pro- 
cessing standpoint than with larger sized channels or 
where the subscriber is somewhat less active, 

FIG. 10 is a simplified diagram of a VCP anchor 55 
EFPS illustrating the launching of composite data 
frames utilizing the frame compression method of the 
invention. EFPS 120 is the local VCP anchor, which 
built and launched composite data frame 122 in the 
immediately previous frame launch period. In its 60 
header, frame 122 has a PFC field which includes, for 
one of the frame's T-slots, an A bit=sO (indicating no 
flow control), the B bit = 1 (indicating presence of the 
associated T-slot), and a sequence of C bits all of 
which =1 (indicating presence of each of the three 65 
channels in the payload of the frame for that T-slot). 
For the frame 123 being composed during the current 
frame launch period, however, the SPUs of EFPS 120 
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have posted cells for only subscribers (channels) 1 and 3 
of this T-slot. Consequently, this frame is compressed 
without a channel 2 as indicated by C=0 in the PFC 
field for this T-sIot. 

The anchor EFPS at the remote side of the VCP 
receives each composite data frame, such as 123, trans- 
ported on the VCP. and interprets the payload format 
during frame decomposition by comparing the delta 
change in the PFC field of the incoming frame relative 
to the frame format template which was received and 
stored during the last frame reconfiguration. In the 
situation represented by FIG, 10, the remote EFPS 
thereby recognizes the absence of channel 2 of the first 
T-slot in frame 123. 

In the architecture of the preferred embodiment of 
the multimedia transmission system according to the 
invention, a frame is sent even if no data is being trans- 
mitted in its T-slots. This not only informs the remote 
side EFPS that no channels are active, but also serves 
the purpose of maintaining the synchronous frame 
launch aspect of the invention. Otherwise, it would be 
necessary to dispatch time stamps to indicate the partic- 
ular time that each frame is launched, to keep track of 
individual frames in the network for use in the frame 
decomposition process at the remote anchor EFPS. 
Synchronous launching of the frames at predetermined 
equal intervals of time throughout the network elimi- 
nates the need to send .such additional information re- 
garding timing. Each node that receives a frame 
(whether TFPS or remote EFPS) recognizes that the 
preceding packet wa sent one millisecond (or whatever 
other synchronous frame launch interval is used) before 
.the current one. 

Frame compression is a core building block of the 
bandwidth seizing technique. In essence, the latter is a 
flow control technique which is sensitive to the NMS 
assigned T-slot priorities, and to the unique traffic char- 
acteristics (such as delay, data loss, packet jitter, etc.) of 
each traffic component type. As previously observed 
herein, bandwidth seizing is used during high link utili- 
zation periods to temporarily reallocate reserved band- 
width from a T-slot type exceeding its maximum guar- 
anteed bandwidth to a T-slot type which is below its 
minimum guaranteed level and is requesting additional 
bandwidth, or to provide basic flow control of all traffic 
components. It allows maximum bandwidth sharing and 
allocation, as a percentage of total link capacity, with- 
out increasing the risks of call blocking and/or unac- 
ceptable degradation of service quality. 

The bandwidth seizing technique of the invention 
requires no additional bandwidth for its initiation, in 
contrast, for example, to the flow control technique 
utilized in an X0.2S network which requires a 
"received— not ready" (RNR) control packet (with its. 
additional BW overhead) to be sent to initiate flow 
control. Furthermore, frame reconfiguration is not re- 
quired, but frame compression is automatically trig- 
gered when the SPUs reduce traffic onto the network 
by not posting cells during frame composition. As illus- 
trated by the traffic throttling techniques of Table VI 
above, bandwidth seizing is a more "drastic" throttling 
technique than call blocking, but less "drastic" than 
frame discard. 

In processing the composite data frame on a VCP, 
each TFPS initiates flow control when an associated 
link's transmit queue size crosses a predefmed link utili- 
zation threshold level indicative of congestion. This 
situation may arise either when CO a new channel re- 
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quest is made by a T-slot type which is below its mini- 
mum guaranteed BW level, or (ii) a statistical aberration 
occurs in which an unusually large number of already 
allocated channels on each VCP are simultaneously 
sending data (i.e., all SPUs are posting cells for each 
frame launch). It will be understood, of course, that 
although packet switching is a statistical multiplexing 
approach which assumes certain averages, and not peak 
usage, nevertheless, peaks do occur. 

When flow control is called for, it is initiated on 
T-slots exceeding their minimum guaranteed BW, start* 
ing with T-slots of the lowest priority. For each com- 
posite data frame in the receive queue on the congested 
link of the affected TFPS, the TFPS sets the A bits to 1 
(indicative of flow control requirement) in the PFC 
field corresponding to the affected T-slot types. At the 
EFPS(s) that receives frames with this modified PFC 
field, the response is to implement bandwidth seizing, in 
the manner illustrated by the sequence of parts (a), (b), 
(c) and (d) of FIG. 11. 

Referring to FIG. ll(fl), anchor EFPSs 130, 131 and 
132 for three different VCPs 134, 135 and 136, respec- " 
lively, build and launch composite data frames onto the 
respective VCPs during each frame launch period. An 
SPU associated with each EFPS posts cells from each 25 
subscriber data stream to be composed within channels 
of the respective T-sloi type in the composite data 
frame for launching onto the respective VCP. In this 
example, all three of the VCPs traverse transit node 
(TFPS) 138. Each of the EFPSs has two subscribers 
(numbered 1 through 6, respectively) providing data 
streams of different traffic component types. The PFC 
bits (only A and B are shown here, for the sake of sim- 
plicity and because the individual channel bits arc not 
used for this activity) in the headers of the data frames 
141, 142 launched by EFPSs 131 and 132 respectively, 
indicate the presence of two T-slot types each (both B 
bits = 1) and no flow control for either (both A bits=0). 
(Also for simplicity's sake, individual channel informa- 
tion is not shown for the two T-slots in each of those 40 
payloads). 

An FRR control frame 137 is issued by EFPS 130 
requesting additional bandwidth for a T-slot type which 
is below its minimum guaranteed BW level at the con- 
gested link 139, which carries all three VCPs at the 45 
other side of TFPS 138. Lmk 139 has reached the maxi- 
mum utilization threshold level on the transmit queue 
from the TFPS, Also, the T-slot types in the incoming 
frames 141, 142 from EFPSs 131 and. 132 are currently 
exceeding their respective minimum guaranteed BWs. 50 
Under these conditions, bandwidth seizing from those 
T-slot types is required. According to this aspect of the 
invention, those T-slot types which exceed their mini- 
mum guaranteed bandwidth, and which are at a lower 
transmission priority level (assigned priority ranking, as 55 
discussed above) than the traHlc component which is 
requesting more bandwidth, will have bandwidth seized 
from them. 

In FIG. 11(6), the VCP anchor EFPSs are notified of 
the need for bandwidth seizing, TFPS 138 (and any 60 
other transit node having a congested link — maximum 
link utilization— and experiencing the same conditions) 
responds to the conditions of FIG, 11(a) by setting the 
A (flow control) bit in the PFG field(s) of the affected 
T-sloi(s) (i,e., those of lower priority and from which 
BW is to be seized) to I, in frames (e.g., 145, 146) in the 
receive queue at that TFPS destined toward the VCP 
anchor EFPSs which are generating the excessive traf- 
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fie (EFPSs 131, 132 in this example), thereby requesting . 
flow control. Only the PFC flow control bit associated 
with the first T-slot in each of frames 145 and 146 has 
been so mcxiified, in this example. All composite data 
frames in the receive queue for this TFPS are affected, 
without regard to which of the three VCPs they are 
associated with. These are data frames which were 
launched from the remote side anchor EFPS of the 
respective VCP. EFPS 130, which issued the pending 
reconfiguration request (FRR control frame 137) will 
continue to launch composite data frames with the pre- 
vious format for the entire period that the FRR is pend- 
ing. 

In FIG. 11(c), during decomposition of the received 
frames at EFPSs 131, 132. the flow control indication 
for the affected T-slots (one on each VCP in this exam- 
ple) is detected from the associated A bits in the frame 
headers. As a result, the fast packet internal protocol 
(FIP) subsystems in these EFPSs dispatch flow control 
command cells (indicated at 147, 148) to their respective 
SPUs to perform less frequent posting of cells for build- 
ing and launching the composite data frames by their 
respective EFPSs. During this time, the congestion has 
not yet been alleviated on the transmit queue at TFPS 

138 for link 139. 
In FIG. 11(d), frame compression is* implemented to 

free up bandwidth (by seizing it) from the T-slots af- 
fected by the flow control request. The less frequent 
posting of cells by the affected SPUs results in frame 
compression by eliminating some or all channels of the 
affected T-slot type(s) in some of the composite data 
frames. To that end, the algorithm utilized for the pur- 
pose may be customized on a per T-slot basis— for ex- 
ample, to use voice clipping techniques for discarding 
portions of the data stream of a voice traffic component 
subscriber, and to permit sending an RNR control 
packet by an X0.25 data traffic component subscriber 
because of its lower tolerance of data loss but greater 
tolerance of delay than the voice traffic component. It is 
not necessary that the transit node be cognizant of the 
method used at the EFPSs to relinquish bandwidth as 
part of the BW seizing process, and consequently, the 
ISN network design is simplified. That is, for example, 
a new traffic component type may be introduced into 
the network without requiring redesign of the intemalA 
transit network. 

The freed bandwidth or a portion thereof is thereby 
reallocated (i.e., redistributed), and the FRR 137 which 
has been held by TFPS 138 is dispatched to the next 
transit node along the VCP(s) once the traffic profile 
indicates that TFPS 138 (or more accurately, its associ- 
ated link of interest) is no longer congested. Composite 
data frames 151 and 152 launched by EFPSs 131 and 
132, respectively, have flow control bits set and T-sIot 
non-present bits in the portion of the PFC field associ- 
ated with the first T-slot of the data frame, attributable 
to the flow control/frame compression. Although link 

139 may remain at the maximum congestion threshold 
for a period after BW seizing is implemented, the T-slot 
type distribution v^U have changed as a result of the 
flow control and redistribution of bandwidth to relieve 
the congestion in relatively short order. 

A VCP template is stored at each TFPS (and at the 
EFPS anchors) to describe the composite dau frame 
format of each VCP that traverses the link(s) on which 
this transit node is located. The TFPS also stores the 
above-described T-slot type profile table, which speci- 
fies, among other things, the priority level of each traf- 



11/12/2003, EAST Version: 1.4.1 



fic component type supponed by the ISN network. 
This information allows the transit node to readily de- 
termine whether a traffic component type requiting 
additional bandwidth is of higher or lower priority than 
other T-slot types on the VCPs traversing the associ- 
ated link, their respective minimum guaranteed and 
maximum allowable band widths, the state of congestion 
and maximum utilization of the link, and accordingly, 
whether or not bandwidth seizing should be invoked for 
flow control of one or more of the traffic components. 
If needed, bandwidth seizing is performed simply by 
changing a bit value in the PFC field to adjust the traffic 
flow of selected T-slot types. 

Although bandwidth seizing is initiated by the transit 
node at the point of traffic congestion; the reduction in 
bandwidth usage is handled at the VCP anchor points 
by the T-slot-specific SPU subsystems for as long as the 
transit node continues to require the bandwidth seizing. 
Bandwidth reduction is the same percentage of maxi- 
mum or targeted bandwidth for each of the respective 
traffic component types. For example, a 64 kb PCM 
voice channel which is reduced, because of BW seizing, 
by 50% will produce a maximum reduction of 32 
kb/scc. A suitable algorithm for that purpose would 
change the posting of a cell by the respective SPU from 
an 8-byte channel every 1 ms to an 8-byte channel every 
2 ms, using ADPCM techniques to compress the voice. 

If the transit node determines that bandwidth on a 
given link is to be seized from one or more other traffic 
components types, the TFPS periodically examines a 
data frame in its receive queue for T-slots being flow 
controlled, and sets the PFC flow control bit to main- 
tain BW seizing. When the link profile template indi- 
cates that BW seizing is no longer needed, this periodic 
examination of packets is ceased. The SPUs may be 
commanded to continue flow control at their respective 
EFPSs (by the process of less frequent posting of cells 
for the building of the composite data frames) until no 
"refresh" (i.e., no PFC bit requiring flow control) is 
encountered in decomposition of a received frame for a 
predefined time period N, 

The bandwidth seizing scheme of the invention is 
especially effective when used in conjunction with a 
network wide synchronous frame launch time. A one 
millisecond launch interval, for example, provides ex- 
cellent bandwidth utilization and short packetization 
delay. Because bandwidth seizing granularity measured 
in seconds (typically, 15 to 30 seconds, versus a I ms 
frame launch interval) is four orders of magnitude 
slower than frames launched on each VCP, the transit 
node need not be precise about setting the PFC field 
and yet will still assure total control of bandwidth seiz- 
ing. Indeed, the transit node may be somewhat impre- 
cise and inconsistent with setting PFC bits in one or 
more frames associated with each VCP traversing the 
affected link within a time period N, without adversely 
affecting such control For, example, assuming a I ms 
frame launch interval, and that the SPU exercises flow 
control for 10 seconds after the last bit requirement for 
same is received, an algorithm which provides that at 
least one packet in 10,000 packets per VCP has band- 
width seizing set in the PFC field will assure mainte- 
nance of bandwidth seizing on the link. Thus, despite 
imprecision, the technique provides reliable results and 
rapid reaction/mitiation. With an average nodal delay 
of one ms and an average hop count (i.e., the number of 
nodes traversed by a VCP) of six per VCP, and a one 
ms laimch interval, bandwidth can be seized and reaUo- 
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cated in less than six milliseconds. This excludes the 
propagation delay of the particular network transmis- 
sion medium, which, for example, is the speed of light 
for a fiber optic network, 

5 This form of communication via the PFC field is not 
a link, protocol, but a network layer protocol. Any 
TFPS or remote EFPS may use it to notify the source 
anchor EFPS of bandwidth seizing. Many variations 
may be employed of the amount of bandwidth to be 

10 relinquished. A simple and straight-forward approach is 
to employ a fixed percentage reduction of traffic at each 
interface — for example, 25%. Another approach is to 
progressively reduce the traffic when bandwidth seiz- 
ing is initiated and while it is in effect, and then progres- 

IS sively allow more traffic when BW seizing is ceased. 
Still another approach is based on the frequency, i.e., 
the percentage of data packets, in which the PFC field 
flow control (here, BW seizing) indication is set. Again, 
the communication and maintenance of bandwidth seiz- 

20 ing requires only a small percentage of packets (one in 
every 10,0(X) to 30,(XX) packets would suffice) to carry 
the indication. 

The TLS associated with the anchoring EFPS is 
adapted to store a VCP profile table for each VCP 

25 anchored on that EFPS. FIG. 12 illustrates the manner 
in which the VCP may be anchored in the EFPS, The 
VCP profile table to be stored preferably includes the 
following information: (1) the address of the remote side 
EFPS which anchors this VCP; (2) the location of the 

30 local VCP anchor (which may be either at a TLS or an 
SLS); (3) the number of subscriber VCs and their re- 
spective bandwidth requirements on the VCP (in com- 
posite data frame environment, number of channels and 
T-slot type); and (4) the number of other VCPs an- 

35 chpred on this EFPS which are also anchored on the 
same remote EFPS (note that two EFPSs may have 
more than one VCP connecting them simultaneously, 
because of heavy traffic between those two points). For 
each of the latter VCPs, information is also kept rcgard- 

40 ing the number of channels and the T-slot type of the 
channels. 

In FIG. 12, VCPs A and B are routed through TLS 
155. VCP A is TLS-anchored (to TLS 155). and VCP B 
is SLS-anchored (to SLS 158). VCPs C, D and E are 

45 routed through TLS 156. VCPs C and E arc SLS- 
anchored (at SLSs 157 and 158, respectively), and VCP 
D is TLS-anchored (at TLS 156). The anchoring to the 
SLSs is through the switching fabric 160. As observed 
in the description pertaining to FIG. 2 above, the deci- 

50 sion of whether to anchor a VCP on an SLS or a TLS 
is based on the traffic patterns between the source and 
destinations EFPSs. The general guidelines for arriving 
at this decision are as follows. First, a VCP anchor only 
multiplexes VCs that terminate on the same EFPS as 

55 the anchor. Second, all TLSs and SLSs include full fast 
packet internal protocol functionality, and therefore 
can anchor a VCP. Third, a subscriber data stream 
should not pass through the switch fabric more than 
once. (An exception is local switching, because the 

60 source and destination anchors are on the same EFPS). 
The choice of whether to have multiple parallel 
VCPs between a local EFPS and a remote EFPS, and 
of where to locate the VCP anchor(5) (on a TLS or an 
SLS), is also driven by the opportunity to mutiplex 

65 (Cm) onto the VCP. A VCP b anchored on TLSs 
when there is OTM subscriber data streams (VCs) origi- 
nating on different SLSs (such as for VCP A and VCP 
D in FIG. 12, where subscriber data streams from both 
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SLSs 157 and 158 may be multiplexed onto either VCP anchor to the optimal location for those condi- 
VCP). This results in larger payload to header ratios, tions. An EFPS is able to reroute VCPs. relocate VCP 
while minimizing each subscriber's packetization delay. anchors, consolidate VCP anchors, and subdivide a 
A VCP is anchored on an SLS when there is no OTM VCP. 

the VCs originating on this SLS with VCs originating 5 The purposes of automated VCP location will be 
on another SLS, cither because it is not possible or not further clarified by the following examples. As the VC 
economical to do so. It is not economical to multiplex load increases between an EFPS pair, multiple SLS 
VCs originating on different SLSs for cither of the anchored VCPs will be consolidated into a single TLS 
following reasons: based VCP which uses the network-wide frame launch 

payload/hcadcr ratio is so small that it is not justifi- 10 period. On the other hand, a TLS anchored VCP may 
able to burden the performance oriented TLS with be converted to an SLS anchored VCP (and even subdi- 
endpoint switching activities for this VCP; vided into several SLS anchored VCPs) when the VCP 

a VCP channel is so large (e.g., 750 kbps video) that traffic load drops to a level that the pay load/header size 
multiplexing with other VCs is not necessary to is unacceptably small in the net work- wide frame launch 
assure low packetization delay a good payload/- 15 period environment. An existing VCP may be rerou- 
header ratio. ted/reconnected if the existing route is suboptimal be- 

When a VCP is anchored on an SLS, the performance cause of network topology or traffic conditions at the 
oriented TLS is only required to perform transit switch- time the route was established. It should be noted that, 
ing activities for composite data frames or control unlike other causes of VCP relocation, VCP rerouting 
frames associated with the VCP. Endpoint processing 20 may be attributable to network conditions unrelated to 
to transit processing ratio may, for example, be in the local subscriber traffic changes. 

4:1 to 8:1 ratio. With respect to changing network traffic conditions 

OTM onto a VCP is a function of (i) the number of which justify relocation of a VCP anchor, if it were 
subscriber VCs going to the same remote EFPS (i.e.. assumed, for example, that the threshold for the func- 
the number of channels), (ii) the amount of dispersement 25 jjon (designated 6) representing OTM onto a VCP is a 
of channels over SLSs (e.g., whether all candidate VCs constant value (designated <f>) the conditions for VCP 
originate on one SLS, or on different SLSs), and (iii) the anchoring on the TLS or the SLS may be presented as 
amount of bandwidth requested by the subscriber VCs follows: 
(i.e. the size of T-slot type channels in the present archi- 
tecture). An SLS based VCP preferably only multi- 30 e<4f 
plexes VCs originating on that SLS. Otherwise, as 
noted above, the EFPS performance is degraded be- 6>6 
cause subscriber data must pass through the system 

switching fabric twice: once from the originating SLS Particular values for <f> are to be defined for each indi- 
to the SLS where the VCP anchor is located, and once 35 vidual implementation case. FIG. 14 illustrates a hypo- 
more when the data is framed and sent to the TLS for thetical case of the anchoring process in real time. The 
transmission onto the trunk line toward the remote VCP should be anchored on the TLS as soon as B 
EFPS. This constitutes unacceptable overhead for the crosses and exceeds <f), and should be anchored on the 
system. SLS when 6 falls below 4>. According to an aspect of 

A TLS anchor has the benefit of capability to multi- 40 the invention, either of two basic approaches may be 
plex onto one VCP the different subscriber connections used to trigger anchor relocation, viz.: (I) relocation on 
from multiple SLSs, thus optimizing trunk line and demand, and (2) periodic relocation, 
transit node effectiveness; and the drawback of added In the relocation on demand approach, anchor loca- 
ovcrhead/complcxity of SLS/TLS communication. An tion is reevaluated during each VC call request from a 
SLS anchor has the benefits thai, (1) for VCPs with 45 subscriber. After receiving the call request, the SLS 
subscriber connections originating on the same SLS retrieves descriptors S, R and C and makes a routing 
(i.e., only one SLS needs the VCP), it eliminates the decision defining a fourth descriptor T. R is the address 

overhead of TLS SLS synchronization when the of the remote EFPS which anchors this VCP; S and T 

TLS has no OTM, and (2) for super-rate channels (i.e., represent the SLS and TLS (one or the other), respec- 
onc channel per VCP), there is again no OTM. 50 tivdy, for the location of the local VCP anchor, and C 

In the local switching example of FIG. 13, the "VCP represents the number of channels for a given T-slot 
anchors" arc at SLSs 168 and 169 of EFPS 170, and do type. These constitute the four descriptors of the 
not require full processing. The subscriber data streams VC/channel. At the request of the SLS. the TLS 
arc exchanged by the SLSs using cells, without ever checks the anchoring conditions and reports its decision 
requiring composition or decomposition of composite 55 back to the SLS, namely, cither (i) open a new or join 
data frames, keep VCP state information (templates), or the existing VCP with the TLS anchor or (ii) open a 
many other requirements of the normal VCP. proces- new or join the existing VCP with the SLS anchor. This 
sing/transmission. Clearly, this is a special case, but one decision is based on the state of the value of ^ relative to 
worth mentioning. Both SLSs view the logical VCP as the threshold level <(> illustrated in FIG. 14. (The ac- 
attheothersidcofthcTLSsl71,172ofEFPS170, with .60 tivity/dccision can also trigger VCP consolidationA 
both SLSs performing processing as though their sub- fragmentation as shown in the flow diagrams of FIGS, 
scriber data is controlled by a TLS based VCP. 15 and 16, dcscnl)cd below). 

The long term nature of VCPs and the inherent lack In the periodic relocation approach, the relocation 
of tight coupling with current subscriber traffic (VCs) occurs on a fixed time interval or time of day basis. A 
requires a periodic recvaluation of optimal VCP anchor 65 principal purpose of this approach or mode is to correct 
location and VC loading (i.e.. number of VCs multi- suboptimal anchoring. Corrections must be made bc- 
plexed). As network traffic conditions change over cause the number of active channels can change over 
time, the present invention allows relocation of the time regardless of the arrival rate of call requests. As- 
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sume. for example, that a call clear on one VC results in lf» however, flow control is required, bandwidth 

a value of 6 which is below <J> (FIG. 14), and that this seizing will be performed at the node. In that event, the 

conditions prevails for a relatively long time interval A bit in the PFC field is set to 1 for all VCPs (not 

Periodic relocation corrects this situation by re-anchor- merely the VCP from which the FRR was received) 

ing the corresponding VCP from the TLS to the SLS. 5 using the particular link for all frames being transmitted 

The accuracy of the process depends upon a fixed time (traveling) in the direction opposite from that of the 

interval (or fixed time of day) for the relocation. A trade FRR- Thereafter, periodic link/T-sloi profile verifica- 

off between frequency of relocation and accuracy of the ^^on is performed at the node, 

process should be made for each individual implementa- According to a feature of the system of the invention, 

tion/nctwork. Unlike relocation on demand, the peri- 10 a timer is utilized to determine whether or not flow 

odic relocation mode, in which the relative values of B control should be maintained. Referring again to the 

and <i) (i.c., 6/<f>) are periodically analyzed, reduces the chart of FIG. 17, at the moment that flow control 

possibility of thrashing between anchor locations. is set up. the timer is staned to require periodic profile 

The processing logic is illustrated in flow chan form verification, meaning that the link/T-slot profile is ana- 

in FIGS. 15 and 16. Referring. to FIG. 15, which is a *y^^ periodically at the node. If bandwidth seizing is 

simplified example of adaptive anchoring showing rdo- required, the timer continues into the next cycle. As 

cation on channel request, the SLS receives a call re- above, any transit node (TFPS) along the VCP 

quest from a subscriber and retrieves the descriptors S, can set the A bit (to 1) and thereby turn on the flow 

R and C. and then makes a routing decision defining the control. Network transmission is taking place at very 

TLS number T. The SLS then sends the channel re- ^^^^ ^P^' with a considerable number of frames mov- 

quest to the chosen TLS. The TLS performs bandwidth "1^ ^J^^f ^ ^^^^^^ 

verification, and if no bandwidth is available the chan- ^iven TIT'S Therefore, it would be an undue burden to 

nel request is denied. However, if bandwidth is avail- T!*^";*"^ I^l^^^^ ^° determine what the sUte of the A 

able, the anchor location choice of SLS or TLS is based f ^^^^ mcommg frame by performing the 

on the value of 0 relative to <(). If, as a result, the SLS " "^^^f ^ary analysis^d then set or reset flow control for 

location is selected, the SLS is notified to build or to ^ f^*^ thrashmg at the 

utilize an SLS based anchor. If the TLS location is " "^"^y^^' 'T?- '"^^ r*"^ 

selected, a decision is made as to whether consolidation f ^ T'^^^* ^^^7 ^'"^^ ^".""g 

Is required. If not, normal Frame Reconfiguration is ^"^J^f^^^ 

begun for replacement channels (those being consoli- ,01°^^^^. '^^^^ 'TT.' ' "^""^ 

dated). If consolidation is needed, a TLS anchored ^'Z % f ?™P^r ^l^V^t^^'^.^^^.^ 

VCP is established and all SLS b;sed anchors to be t^J^t'^^^^^^ 

««»:r«j -m, i r n appropriate state of flow control at the node. This as- 

Zr^, n^^^^^^ " ^/""^^ ^"T" P^^* °f '"mention recognizes that flow control is 

Stln L^^^^^^^ the ongmal request, and a wait is 3, ^^.^ , ^^^^^^ 

nTrtw! K '^"'^ specifically, the particular inteiVal which has 

nels (those being consolidated). Thereafter, the same ^ee^ ,,,eeted for the network wide synchronous frame 

logic path IS followed as though no consolidation were Punching), and that processing should be minimized at 

"^^T^ 1^ • • J , « , . c^ch node to the extent possible. During frame decora- 

FIG. 16 IS a simplified exemplary flow chart for 40 position fm which the packet is taken apart to recover 

adaptive anchoring with relocation as a result of chan- the payload information at the destination side), if flow 

nel release. The SLS receives a channel release request control had been set for a particular T-slot an assump- 

from a subscnber, and such request is always granted in ^i^^ ^lade that flow control is to be maintained for 

the interest of making additional bandwidth available. that particular T-slot in every incoming frame on that 

The TLS is notified and begins normal Frame Recon- 45 vCP for a period of time. This period of time is set by 

figuration for channel release. A decision is made of the timer. Then, even if no further frames requiring 

whether VCP fragmentation is needed, and. if so. all flow control for the T-slot in question are encountered 

SLSs mvolved in the VCP are notified, a wait is insti- on tiiat VCP. the flow control is nevertheless main- 

tuted for channel release requests from the SLSs. the tained throughout the timer period. If. before the timer 

requested channel is released, and if no channels are left 50 expires, a frame is received on that VCP in which the A 

a normal VCP tear down is begun. If, however, chan- bit is set to 1 for that T-slot, tiie timer is thereupon reset 

nds are left, the logic reverts to a wait for channel to maintain flow control for another timer period, 

release requests from the SLSs. por example; if the synchronous frame launch time is 

Some additional considerations pertinent to BW seiz- selected to dispatch a packet once every millisecond, 

mg and flow control will now be discussed witii refer- 55 1000 packets will be received every second. If the flow 

ence to FIGS. 17-19. Referring to the flow chart of control timer is set for a period of one-half second, tiien 

FIG. 17, the A bit set-up procedure is perfonned at the 499 packets can be processed on that VCP without a 

source anchor EFPS or any TFPS on the VCP. The requirement that tiie A bit must be set on any one. Tliis 

procedure begins when an FRR control frame is re- technique avoids an extremely process-intensive activ- 

cei ved by the particular node. Upon receipt of the FRR, 60 ity at the node. whUe still maintaining flow control as 

the node analyzes its stored associated link/T-sIot pro- appropriate. If the timer expires for lack of subsequent 

file which is indicative of traffic on the link and specific receipt by the node, during the timer interval, of an- 

subscriber activity. If flow control is not required (A=a other frame in which the A bit is set to 1, then flow 

in the portion of the PFC field associated with this control is lifted. The timer technique is forgiving, in the 

T-slot), the T-slot profile is updated or the bandwidth 65 sense that another A bit may be set to 1, if necessary, 

reserved for the particular subscriber(s) (channel(s) is when time is available to do so at the transit node. But 

released at the node. The FRR control frame is then if traffic congestion ceases there is no need to reset a bit, 

sent to the next node along the VCP path. because the flow control will be lifted automatically 
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when the timer expires. Further, the technique doe not 
require more elaborate measures such as counting the 
number of packets received since the flow control was 
turned on. 

If traffic congestion is occurring at a TFPS of a VCP. 5 
the TFPS has the capability to set the A bit to 1 for the 
congested T-slot in each frame transported on every 
VCP which traverses the associated trunk (link), and 
this starts the bandwidth seizing process. Simultaneous 
with the initiation of bandwidth seizing, the node estab- 10 
lishes a periodic link/T-slot profile verification. Refer- 
ring to the table of FIG, 18, the link/T-slot profile is 
built based on three parameters, designated alpha, beta 
and gamma. Alpha represents the total bandwidth (6W) 
in use on the particular link; beta, the BW usage for the 13 
particular T-slot; and gamma, the minimum guaranteed 
BW for this T-slot type. Alpha is 0 if the total BW in use 
is less than the maximum utilization threshold; beta is 0 
if the T-slot BW usage is Jess than the maximum allow- 
able usage; and gamma is 0 if the T-slot BW usage is less 20 
than the minimum guaranteed BW for this type of T- 
slot. If the reverse is true for a parameter, then the value 
of that parameter is 1. The table illustrates the value of 
the flow control (A) bit for each of several distinct and 
different situations represented by the value of those 25 
three parameters. The situations numbered 2 and 6 in 
the table are not valid, i.e., cannot exist, and therefore 
arc disregarded. 

In those situations requiring active flow control, rep- 
resented by #s 1, 3, 4 and 5. the TFPS sets the A bit to 30 
1. For example, if situation #1 exists at the node, in 
which total BW in use is more than the maximum utili- 
zation threshold, T-slot BW usage is more than the 
maximum allowable usage, and T-slot BW usage is 
more than the minimum guaranteed BW for this T-slot 35 
type, the node and its associated links are experiencing 
severe traffic congestion. Hence, flow control is ur- 
gently required. The situation may have arisen from the 
need to add a new channel (and thus a need for addi-, 
tional bandwidth), as indicated in an FRR received at 40 
the node, which triggers BW seizing. 

An FRR is communicated in the form of a packet 
analogous to a call setup packet, and follows the same 
path as the composite data frames, but constitutes a 
request to change the format of those frames. The exist- 45 
ing format is indicated in a template stored at each of 
the nodes along the path. Another stored template indi- 
cates the amount of change of BW which is permitted 
for a particular traffic component, i.c., how much of the 
BW the particular chaimel may be allocated. Each of 50 
the nodes processes the FRR packet, and, if the request 
for more BW is approved, allocates the additional BW 
as requested. As noted above, a request for less BW is 
always approved because of the desirability to have BW 
available at all times for allocation to other users, with- 55 
out exceeding anticipated reasonable needs in the initial 
establishment of the transmission facility (network). 

If a traffic component A requires additional BW and 
at that time is not using its minimum guaranteed BW, 
while at the same time another or other traffic compo- 60 
nents B, C, D, etc. are exceeding theirs, or the total BW 
of the transmission facility has already been allocated, 
then BW must be seized from the other traffic com- 
ponent(s) lacking entitlement and allocated to traffic 
component A. The FRR can be approved in such cir- 65 
cumstances, only if BW seizing can be implemented. If 
the attempt to de-allocate or seize BW from another 
traffic component is successful, the call is permitted to 
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be set up in the sense of allocating the additional chan- 
nel in the frame. Frame compression is employed to 
reallocate bandwidth, although frame compression may 
be used to advantage for other purposes as well— such 
as the previously mentioned subscriber inactivity. 

Frame composition and decomposition will now be 
described based on the B and C presence bits in the PFC 
field. On the source EFPS anchor side, the template 
set-up during frame reconfiguration considers the phys- 
ical capacity across the VCP for each end user con- 
nected to that VCP. During frame composition, the 
anchor node implements the following algorithm: For 
each channel and associated T-slot in the frame, if at 
least one channel is present set B^ 1, copy the *'bucket*' 
(i.e., the posted packet or cell) and set C = 1 for an ap- 
propriate channel; else (if no channels are present) set 
B=0. 

This frame composition/decomposition is shown in 
greater detail in the flow charts of FIGS. 19(fl) and 
19(6). In FIG. 19(a), the source EFPS sets up the B and 
C bits depending on whether data is present for trans- 
mission, as part of the process of frame compression. At 
the start of frame composition, a first T-slot X is se- 
lected for analysis. If no buckets are posted for transmis- 
sion in this T-slot, the presence bit B is set to equal 0 in 
the frame template. If, however, some buckets (say. N 
in number) are posted for transmission, the frame tem- 
plate is set up with B = 1, and with C = 1 for each of the 
N channels corresponding to the number of posted 
buckets. Data from the buckets is then written into the 
corresponding channels of the T-slot. If one of the 
buckets is empty, copying is unnecessary and the corre- 
sponding C bit is simply set to 0. Then (or in the case 
where B=0), the next T-sIot (X-t- 1) is selected for anal- 
ysis and setup. If that T-slot is present, the same proce- 
dure is followed as with T-slot X; but if the T-slot is not 
present, the next T-slot is selected. The process contin- 
ues until the last T-slot has been analyzed, and then the 
frame is sent. As emphasized earlier herein, assembly of 
the composite data frame requires that all of the data to 
be assembled into the frame must be destined for the 
same endpoint node. 

It will be observed that two iterative processes are 
taking place during frame composition. First, for a T- 
slot go through each channel and copy each posted 
bucket in a corresponding channel, setting the appropri- 
ate C bit for each channel to 1 (or 0, as the case may be). 
Then go to the next T-slot, and if there is at least one 
channel present set the B bit to 1. The logic is the same 
regardless of the specific implementation. 

The meaning of the "bucket" (or mailbox) may be 
further clarified as follows. At each VCP anchor (end- 
point) node of the network a subscriber exists at one 
side of the switching fabric^ and a trunk exists at the 
other side. Typically, in the system of the invention, the 
frame composition is performed on the trunk side as the 
traffic components cross the switching fabric Every 
millisecond (or whatever other synchronous frame 
launch period may be used), the subscriber (through the 
SPU) posts a fixed size unit of data to be shipped across 
the network to a specified (addressed) destination. This 
procedure is performed at connection set-up time, in 
memory on the trunk side. During the next frame com- 
position, the T-slot/channel template stored in memory 
is analyzed for each T-slot and the channels in that 
T-slot For each of those channels a determination is 
then made of whether anything is posted for assembly 
into the composite data frame, by examining a portion 
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of the memory in which the subscriber is to dump the 
data segments to be shipped. If something is to be sent, 
the SPU puts it into the preassigned location in memory 
and a flag is lifted, analogous to a mailbox flag, to indi- 
cate the presence of data to be shipped. In the preceding 3 
description, that location (and its contents) is termed a 
•'bucket", and the bucket scheme is simply a mailbox 
scheme used by the subscriber to post the data which is 
to go into the next composite data frame. 

The frame compression technique of the invention is 10 
independent of the traffic component type. If the sub- 
scriber has something to send, regardless of the traffic 
component type that "something" may be, a channel 
will be made available; and if there is nothing to send, 
the frame will be compressed accordingly, because !S 
there is no transmission of a blank channel. 

Referring to FIG. 19(6), at the destination EFPS the 
presence bits are analyzed for purposes of the frame 
decomposition process. When a frame is received, the 
node initially examines the PFC field for the value of 20 
the B and C bits to interpret the payload structure for 
that incoming frame. The frame template stored at the 
node is used for oflTsetting the starting bit for each T- 
slot, and for each channel present in a T-slot in the 
payload of the frame. The frame payload is then decom- 25 
posed by separating and forwarding each channel to the 
appropriate subscriber on the remote (destination) side. 
The separated channels traverse the switching fabric 
and travel to their respective destinations, which are 
mailboxes on the remote side of the subscriber connec- 30 
tion. 

The A bit is not examined during either decomposi- 
tion or composition of the composite data frame. Only 
the B and C presence bits of the PFC field are used for 
the decomposition process. As has been described 35 
herein, the A bit stores information significant for a 
different process, that of flow control at the transit 
nodes, which will subsequently affect the composition 
process at the local EFPS side of the VCP anchor. At 
most, during decomposition of a frame the A bit may be 40 
observed and used to notify the subscribers that flow 
control is being exercised on their data. It then becomes 
the subscriber's responsibility to send less data. 

FIG. 20 illustrates the flow in retrieval and delivery 
of data by the destination EFPS. using the stored VCP 45 
template. Channels A, B and C are present for one 
T-slot, channel D for another T-sIot, and channels F 
and G for the remaining T-slot of this exemplary frame. 
No channel E data is present, hence C=0 for that chan- 
nel, and the remote EFPS recognizes that chamiel does 50 
not exist in the payload of the incoming frame. The 
header address and payload information for the several 
channels is then dispatched to the switch fabric where 
the information is directed to the appropriate subscrib- 
ers. 55 

Although a presently preferred embodiment and 
method of the invention have been disclosed herein, it 
wiD be apparent from a consideration of the foregoing 
disclosure by those skilled in the field to which the 
invention pertains, that variations and modifications of 60 
the described embodiment and method may be made 
without departing from the true spirit and scope of the 
invention. Accordingly, it is intended that the invention 
shall not be limited except as required by the appended 
claims and the rules and principles of the applicable law. 65 

What is claimed is: 

1. A method of transmitting information between a 
multiplicity of subscribers, as components of traffic in 
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an integrated services network flSN), in which the 
information traffic consists of a multiplicity of media 
types according to the communications services re- 
quired by the different subscribers, including voice, 
video and data traffic component types, said method 
comprising: 

assembling a plurality of traffic component types in 
information streams from subscribers associated 
with an entry node of said ISN into composite 
frames of variable size for sequential launching of 
the assembled composite frames into the ISN des- 
tined to subscribers associated with another node 
of the ISN, 

limiting the traffic component types assembled into 
each of the composite frames to those in informa- 
tion streams destined for subscribers associated 
with the same exit node of the ISN, at which the 
composite frames are to be disassembled, 

configuring each composite frame with the traffic 
component types assigned to respective separate 
groups of adjacent channels of bandwidth allo- 
cated according to predetermined communication 
requirements of the particular traffic component 
type through the ISN, with each group limited to 
chaimels transporting trafTic components of the 
same type, and each channel in a group dedicated 
to a particular subscriber of the respective traffic 
component type for a communication session, and 

selectively seizing bandwidth from at least one group 
of channels associated with a traffic component 
type for reallocation to at least one other group of 
chaimels associated with a different traffic compo- 
nent type in the composite frames being launched 
into the ISN for preferential transmission of the 
latter traffic component type during periods of 
traffic congestion in the network between the entry 
node and the exit node. 

2. The method of claim 1, further including; 
allocating different minimum bandwidth availability 

levels to the various traffic component types within 
the composite frames to be assembled, and wherein 
bandwidth is selectively seized from a group of chan- 
nels associated with a traffic component type hav- 
ing one minimum bandwidth availability level, for 
use by a traffic component type having a relatively 
higher minimum bandwidth availability level, 
within the laimched composite frames. 

3. The method of claim 2, wherein 

the step of bandwidth seizing is performed before 
launching each composite frame into the ISN. 

4. The method of claim 1, wherein 

the step of bandwidth seizing is selectively performed 
by selectively eliminating at least one channel of a 
group associated with one trafBc component type 
within a composite frame during assembly thereof, 
to increase the bandwidth available in that compos- 
ite firame for the group of channels associated with 
another traffic component type to accommodate 
preferential transmission through the ISN of the 
latter traffic component type having a higher prior* 
ity for reduced delay in information transmission. 

5. The method of claim 4, further including: 
identifying in the header field of the respective com- 
posite frame each channel which has been elimi- 
nated therefrom, for purposes of disassembling the 
composite frame at the exit node of the ISN. 

6. The method of claim 1, wherein 
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each of the composite frames is of variable sire and 
the channels within each composite frame are of 
the same fixed size for any given trafTic component 
type. 

1, A method of multimedia information communica- 
tion between subscribers associated with a pair of nodes 
of a fast packet switched network to provide traffic 
flow control in the network, said nodes being connected 
by an cnd-to-cnd network path having multiple trans- 
mission links, and wherein the multimedia information 
includes a plurality of traffic component types from 
among voice, video and data to be communicated be- 
tween subscribers associated with said nodes, said 
method comprising: 
launching a succession of composite frames convey- 
ing multimedia information from subscribers at one 
of said nodes intended for subscribers associated 
with the other of said nodes onto said network 
path, in which each of said composite frames has a 
plurality of channels of different fixed sizes to ac- 
commodate the traffic component types and repre- 
senting differing bandwidth requirements allocated 
for respective ones of said traffic component types 
within each composite frame, 
assigning each of said traffic component types a level 
of priority for transmission through the network 
which may differ from priority levels assigned to 
other traffic component types, before commencing 
the frame launching, and 
reallocating bandwidth within newly laimched com- 
posite frames according to the priority levels of 
said traffic component types to allocate additional 
bandwidth for advancing the transmission of the 
traffic component types having higher priority ^5 
assignments across the network path while con- 
comitantly reducing bandwidth and deferring 
transmission of the traffic component types having 
lower priority assignments across the network path 
during periods of traffic congestion on any of the 
transmission links of said network path. 

8. The method of claim 7, wherein 

the step of bandwidth reallocation is performed by 
selectively eliminating channels that accommodate 
traffic component types having lower priority as- 45 
signments from the composite frames. 

9. A system for transmitting information during call 
connections between a multiplicity of subscribers as 
components of traffic in an integrated services network 
(ISN), in which the information traffic consists of a 50 
multiplicity of media types according to the require- 
ments of the different subscribers including voice, video 
and data traffic component types, comprising: 

assembling means for assembling a plurality of traffic 
component types in separate respective subscriber 55 
information streams to be launched for transmis- 
sion at an entry node of said ISN during respective 
call connections, into the message information pay- 
load field of each of a sequence of composite 
frames of variable bandwidth to occupy channels 60 
of predetermined limited bandwidth within the 
respective frame for transmission through the ISN, 
the assembling means including: 

selecting means responsive to the respective informa- 
tion streams for limiting the assembly of traffic 65 
component types into each composite frame to 
those in information streams addressed to subscrib- 
ers at a common exit node of the ISN, and 
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allocating means for configuring each composite 
frame so that the information streams of the differ- 
ent traffic component types are assembled into 
respective separate groups of channels of predeter- 
mined fixed bandwidth different from the fixed 
bandwidth of channels of groups associated with 
others of the traffic component types; and 

bandwidth appropriation means located at a transit 
node on a communications path of the ISN be- 
tween the entry and exit nodes for response to 
traffic congestion on said path to initiate selectively 
seizing of bandwidth from channels of one group 
for expanding channels of another group associated 
with a traffic component type of preferred priority 
of transmission within each composite frame to be 
launched from the entry node, to control traffic 
flow on said path. 

10. The system of claim 9, wherein 

said bandwidth appropriation means includes means 
for dispatching flow control data to the next node 
along said path to indicate the status of the flow 
control at the transit node where said bandwidth 
appropriation means is located. 

11. A method of enhancing the bandwidth of certain 
traffic component types transmitted by subscribers as 
composite information in an integrated services net- 
work (ISN), in which the subscribers are associated 
with nodes at endpoints of the network and the compos- 
ite information traffic may include voice, video and data 
traffic component types transmitted in packets having a 
predetermined variable bandwidth allocation for each 
traffic component type, said niethod comprising the 
steps of 

detecting traffic congestion in the queue of packets 
awaiting transmission over a transmission link at a 
transit node on a network path between two end- 
point nodes of the ISN, 

responding to a request for more bandwidth within 
packets to be transmitted, for a traffic component 
type from a subscriber associated with one of said 
two endpoint nodes and communicating with a 
subscriber associated with the other of said two 
endpoint nodes, in which the traffic component 
type for which the additional bandwidth is re- 
quested has greater priority for uninterrupted 
transmission through the ISN between said two 
endpoint nodes than other traffic component types, 
according to a predetermined ranking of transmis- 
sion priority levels for the traffic component types 
supported by the ISN, 

identifying another subscriber, associated with one of 
said two endpoint nodes, constituting the source of 
a traffic component type within packets at least 
partly causing the congestion, of lower priority 
than that of the traffic component type for which 
more bandwidth is being requested, and 

suppressing the transmission of the lower priority 
traffic component type from the identified sub- 
scriber in packets emanating from the endpoint 
node associated with the identified subscriber, to 
seize bandwidth from those packets, and making 
the seized bandwidth in the packets emanating 
from that endpoint node available to the traffic 
component type of the subscriber for which more 
bandwidth is being requested. 

IZ The method of claim 11, wherein 

said step of detecting traffic congestion includes de- 
termining that the maximum available bandwidth 
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for said transmission link is being fully utilized at 
the time of receipt of the request for more band- 
width. 

13. The method of claim 7, wherein 

the step of bandwidth reallocation is performed by 5 
detecting traffic congestion on a transmission link 
of the network path at a transit node between trans- 
mission links including the congested transmission 
link of the network path, and revising a portion of 
at least some of the composite frames traversing the 10 
transit node to inform one of the pair of nodes 
associated with the subscribers to which the re- 
vised portion composite frames are directed of the 
existence of the traffic congestion and the need to 
reallocate bandwidth to favor transmission of the 13 
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traffic component types having the higher priority 
assignments. 

14. The method of claim 13» further including 
commencing a predetermined time interval during 

which said at least some of the composite frames 
are revised, without regard during such predeter- 
mined time interval to continuing congestion or 
relief from congestion of the transmission link that 
prompted the band\iidth reallocation. 

15. The method of claim 14, further including 
recommencing the predetermined time interval aAer 

initial expiration thereof if continuing traffic con- 
gestion is detected on the transmission link that 
prompted the bandwidth reallocation. 
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ABSTRACT 



A system which uses three way password authentication, 
encrypting different portions of a logon packet with different 
keys based on the nature of the communications link. Nodes 
attached to a particular LAN can have one level of security 
for data transfer within the LAN while data transfers 
between LANs on a private network can have a second level 
of security and LANs connected via public networks can 
have a third level of security. The level of security can 
q)tionally be selected by the user. Data transfers bmt^een 
nodes of a network are kq^t in separate queues to reduce 
queue search times and enhance perfonDance. 

20 Clafans, 13 Drawfaig Stttis 
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NETWORK WITH SECURE the user. Data transfers between nodes of a network are kept 

COMMUNICATIONS SESSIONS iQ separate queues to reduce queue scared times and enhance 

perfonoance. 

BACKGROUND OF THE INVENTION 

1. Tunica! Field ' DESCRffTION OF THE DRAWINGS 

The present invention relates to computer network sccu- 1 is a diagram showing the connection b^een 

rity. In particular, it relates to cetwoiks which use dynamic applications and the requester in a local system, 

packet headers and nmltiple levels of packet encryption to FIG. 2 is the diagram of FIG. 1 with a more detailed view 

transfer data to and from a remote server or to and from of the requester. 

another node in Ae local network. hGS. 3A-B are a flow diagram illustrating data transfer 

2. Background Art between the application and requester of the preferred 
The development of small independent systems such as embodiment 

personal conq^uters has provided several bene&ts to users. FIGS. 4A-C are diagrams of the memory layout of packet 

By providing each user with their own processor and data 15 headers used in the preferred embodiment, 

sto-age, personal computers provide consistent performance HGS. 5A-B are diagrams showing tht memory layout of 

and data security. A cost of these benefits is the inconve- entries in the packet queue. FIG, 5A is the memory layout 

nience which resuUs from the inabiUty to easily access data used for TCP/IP and NetBIOS. FIG. SB is the memwy 

by other members of an OTganization. layout used by SMODEM or SRS232 communicatioos 

The use of mainframe systems, and the later developmeot ^ systems, 

of alternative systems such as LANs (Local Area Networks) FIG. 6 is a diagram of a multi-requester system with a 

and servers reduces the inconvenience of making data single server. 

available to all members of an Grganization. but results in vrr^ ^ * ai h ^ • . , - 

. . I _ - ^'^ **" v»^am«i*uu, vui iiAiuia m pjQ 1 \sh diagram illustrating a single requester attached 

unpredictable performance, and mcst importantly results in ^ servors/ 

exposure of sensitive data to unauthorized parties. Hie ^ 

transmission of dato is commonly done via packet based . ™- » ^ » diagram showing a requester (machine A) 

systems which have user ID and password information in a mter^Mmected with two scrvcR (machines B-C). 

header section. Interception of a packet with header infor- 9 is a diagram illustrating iDultq)le requesters con- 

mation allows the interceptcr to learn the user ID and nected to servers via local area networks (LANs) and wide 

password which will in turn allow future penetration of the ^ networks and public tdephone networks. 

user*s system and uoautfaorized access to the usq-'s data. H FIG. 10 is a diagram illustrating multiple requesters 

would be desirable to transmit user identification and pass- connected to servers and servci/rcquestcr systems. 

WOTd infonnation in a manner which would be indedpher- FIG. 11 is a diagram illustrating the server used in the 

able to an unauthorized intercqjtor. prefoicd embodiment. 

Data security is endangered not only by access by outside FKj. 12 is a diagram illustrating the rcad/wiite threads and 

parties such as hackers, industrial spies, etc, but also to packet queues used by the saver of FIG. 11. 

inadvertent disclosure of data to unauthOTized members <rf nOS. 13A-D are diagrams illustrating the packet headers 

die OTganization. For exan^e, data exchange at certain used in the logon procedure of the prefcned embodiment 

levels of management may cause pioblenLs should the ^ ^j^^^ iUustrating the packet headers 

mforma^on be disclosed to the general emp oyee popula- ^ „^ ^^^^ the^^ elodiment 
tion. Likewise, the transmission of personal infonnation 

such as banking codes over ndworks has exposed individu- DESCRIPnON OF THE PREFERRED 

als using online financial systems to the possibility of EMBODIMENT 

fraudulent access to their funds by third parlies. ^ , . 

f AA'^ ^ ^ I 45 ftior to a detailed descnption of the figures, a general 

SUA as LANs has seated perfonnanee proWei»B due to tbc foUows. Anelwark^tate a variety of fonns. Forcxample. 

TTJ^ °f from inuluple locaUons and the unpre- ft can be two peBooal computers cozmminicatinrvia 

f '""T.^ flucuiations. B ^ ^ be a single LAN system within a particular 

wouUbeadvaitogj^if asystancouWj<mdenoto^ ^ fadlity;itcanbcai«niescTver«mairtomesyLnwith 

data sccmity, but also nKHe consistent perfonnance. conmimcalions links to individual tenmnals <^ peisonal 

TbejHiar aithas failed toprovide network systems whidi computers; it can be a netwcdc of LANs «• other servers 

enaire that access to data is restricted to auftorized parties each canmnnicating with one another or flirough one 

while at the same time providing mwe consistent perfar- another; or It can be any of the fart^oing systems which use 

'°^<^ SS not only dedicated communications lines, but also nondedi- 

SUMMARY OF THE INVENTION ^^fT^"^ '"^^^ 

Internet) through a "firewall . TTie use of the term firewall 

The present invention solves the foregoing problems by herein refers to the requirement for increased levels of 

providing a system whidi uses three way password security to avdd the possibility of unauthorized data access 

authentication, encrypting different pcHtions of a logon 60 by parties outside of the cHganization. Likewise^ a machine 

packet with different keys based on the nature of the in the network can act as a client or a saver depending on 

communications link. Nodes attacbed to a particular LAN the nature of the data transfer 

can have one level of security for data transfer within the In the prcfeired embodiment, communication between a 

LAN while data transfers between LANs on a private cUent and a server is as follows. The server waits for 

networic can have a second level of security and LANs 65 connection requests from clients on the netwoik. The server 

connected via pubUc networks can have a third level of can be started with one or more supported protocols to 

seccTTty. The levd of security can optionally be selected by enable suppon of a variety of client types on the network. 
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Fa- cxanmlc the scrva i^otocols can include among 6--Tlic dicnt genmtes a random numbci Ra. calculates its 

others, NetBIOS, TCP/IP, SMODEM and SRS232. AU of CRC signature C2, and encryi^ them with the signature 

the foregoing protocols arc well known in the art CI using the key Ka. This signature is used to validate &e 

When a user on a client machine wishes to initiate a data key Ka by the server, 

transfer or other function, die diem application activates a 5 The second st^ in the process takes place at the serva". 
requester to access resources in the network. When die When the server receives the first logon packrt it decrypts 
server receives a request from a client application, it actl- the pactet as follows. 

vates a thread to process the request. A thread is an execution i — j\xc server gcaeratcs a key K2 from its roadune name 

unit of an operating system. Operating systems used for this and the SHS to decrypt the packet header for identifica- 

typc of system are Microsoft Windows 95 (trademark of jq ^ packet header docs not contain the predefined 

Microsoft Coiporalion). Microsoft Windows NT (trademark constant, the user is unauthorized. This occurs when an 

of Microscrft Corporation), IBM OS/2 (trademark of IBM unautfiOTized user tries to access the sovct over the phone 

CoTXffation). These systems may use multiple session i^o- ^ ^^^^ 5^^^ ^smce the phone 

tocols such as NetBIOS and TCP/IP or single session number is a public record but the scrvcrname is private). 
pxtocoU such as SMODEM SRS232. ^ ^ 2— If die user is autiiorized, die server uses fee decrypted 64 

In single session protocols such as SMODEM and R in die packet header as a key to decrypt die 
SRS232, die same thread is used to process the request from 

a cUcnl since a serial port can act as a server or cUent but 3_xiie saver then uses die user ID to search a database for 

cannot sinudtaneously act as a server and client Multq>lc ^ ^^^^ record. If die access recoid cannot be found, fee 

session protocds create a new thread, referred to as an ^ ^ entered an invalid ID and fee session is tcrmi- 

original thread, and wait for a request from a client. When ^^^^ access recwl is found, the server verifies if 

a request is received, fee feread is rtfcrred to as a server the user is allowed access to network resources at feis date 
processing dircad which is used to process the ciicnt logon. 

After fee logon is successfully comjdeted, fee server ^ access date and time arc verified, fee scrvw retrieves 

processing feread creates a packet queue and a packet thread ^ ^ associated one way hashed paaswOTd Kb from an 

to receive incoming packets and place feem in fee packet encrypted password file to decrypt fee random number Ra 

queue. The server fecn waits for packets to arrive. On fee ^ q^q signatures. The password file is encrypted 

client side, fee client creates a session write thread to initiate ^^jj ^ ^ ^k which is selected by the system adminis- 

contact wife the server. In addition, fee client <reatcs a ^ installation. 

second thread which is referred to as the session read feread. 5_The random numbers Ra and fee CRC signatures arc 

This feread is used to receive packets sent from fee servff to ^^^^ dcaypted. The server calculates fee CRC signature 

fee client. of the packet header, fee user ID and fee random number 

To use resources on fee network, users must first logon fee Ra. If fee calculated signatures match fee decrypted 

server to prove fecir idcndty. A logon request is sent from fee signatures CI and C2 stored in the packet, and if password 
client's logon application to fee requester on fee client 35 Ka matches Kb, fee server manipulates fee client random 

oonq>utcr. Before logon data can be exchanged between fee number Ra wife a predefined formula, generates a random 

applications and fee requester, a command manager is number Rb, and encrypts bofe random numbers Ra and 

created by fee requester to accept application requests. The jy, fee password Kb before sending fee first logon 

command manager is responsible for housekeeping requests response packet to fee cUcnt 

wirtiin fee client computer. 40 The third step in the process takes place at fee dient 

In the preferred embodiment, fee logon procedure uses a computer as follows, 

fercc way authentication to {ffcveot the password from being 1— ihe dient decrypts fee first logon response packet 

transfened over fee con^Miter and also to allow bofe fee 2— The client manipulates Uie random number Ra wife fee 

dient and fee server to aufeenticate each other. In addition, predefined fonmila and compares it wife the one returned 
fee aufeentication procedure prevents unaufeorized pcnctra- 45 from fee server. If fee numbas matdi, fee dient knows 

tion of fee system security by detecting fee replaying d diatU is connected to fee cOTrect server, n<rt a fraud server 

packets by third parties. fr<Hn which an eavesdropper has catmired transmissions 

The three way aufeentication system encrypts fee very from fee previous logon and is echoing packets back to 

first logon packet wife different beys for each part of fee die client conD9>uter. 

packet as follows. 30 3— Hie ciicnt noanipulatcs random number Rb wife anofecr 

The first step takes place at fee cUent OOT^Hiter as foUows. predefined formuU and concatenates it wife fee dicot's 

1— The dient generates a 32 bit random number vahie initiating data (i.e., fee client initial packet seque^ 
which is concataialed to a predefined 32 bit constant to number, fee encryption and conqntsaon mode for fee 
form a 64 bit value R. session, and tfic operating systan platform ID) to form a 

2— The CRC signature a of fee 64 bit value R and fee user 53 second logon packet The operating system pUtf orm ID is 
ID is calculated. This signature value allows detection of usefiil for sdccting lootocols and dato fcsmats when a 
packet manipulation. particular ciicnt or server is communicating wife systems 

3— The 64 bit value R is used as a DES key to encrypt fee feat may have any one of a variety of opcratiiig ^stan 
user ID. This makes fee user ID look random for each software programs running. The dient would typically 
logon packet ^ request cnoyption and compression mode for fee session. 

4— "Die diem genoaics a 192 bit key K from fee server However, the sever may indicate feat fee particular 
name to encrypt fee 64 hit vahic R. modes requested arc not available. 

5— The client generates a key Ka from fee user ID and 4— Tlie dient feen encrypts fee second logon packet and 
password using a one way hadi function such as fee sends it to the scrva. 

S«urc Hash Standard (SHS) specified in fee Federal 65 Tte fourfe step in the process takes place at fee sctvct 

Infoonation Processing Standards Publication 180 (PIPS computer as follows. 

PU3 £go), 1— The server decrypts fee second logon packet 
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mateb. (hen ttc server knowsTe U J^Sg Ss^'^hS^ ''Sitoate wiAou. scndiaglhc 

authorized client and thatthefimlogoopaSS^«„ot^ 3 "^f * 

replayed packet «uQia s paoceo which contain different encrypted random numbcn 

session jccy Ks and an Initialization vector TV in th* «. ^ t^^^*^. 

preferred embodiment, and IV are gen«^?» j! J^^ff^l*" authentication procedttre is in U>e middle 

fonmUa specified in Appendix C of thc !Sa lo K ""'^^^ ^"""^ 

standard. ^ ^ '° ^ CRC signatures. Since the CRC signature C2 of 

4-Ks and IV are sent to the cUent along with the sexva IoLTS^*^ ^ " '^^ with the 

initiating dau (Le.. the saver initial oaX^J^^ « ' authenticate the user right on 

number, supported and/or ^yTL^l 2Sn£ fe'S^H^^^'T^"^'"' ^ ^ 

pression modes for the session, and the sSvcr owxaZ. , 5 hTZ ^"^^^ chaJleage-nesponse fashion is to 
system platform ID). operating 15 help the saver defeat the repaying of the logon packet and 

used to detect packet deletion and insertion for dau The19ht\»?H u • . 

exchanged aft« the logon procedure ^T^32-brtMdomnuinba-m the packet header is used to 

2-ThecUentenayptsKsandIVwithltsownkevandsaves JI?nrfJ^*'/^°^™,'*°'°~' ^ ''•=^''^'^<' '° '^'^ 'i*^ 

tiiem in memory for future communSn ^ SST^^TH/„r'^'^°"^,'^'' • " ^""^ ""^ « 

server. The logon procedure completes here. ^ «utol.S^ J ^ ^ "^""^ 

After the logon procedure is su^sfiiUy ^eted, all TXi^l T^ ^ ^'^ '^^^>- 

packet headers are encrypted using ttie^d«rkS kT.S !^ ^ ^ ^ the user ID 

thelV.Tliepacketheato^eerc^^^Z^cS^^ «SjP«««'^'^ creating a one-way hashed p^^^ 

from deleting, insming, modifg^Z^S^ 30 £Ls JJ^'^*JL^ "^"^^ « 

packets which may have been «Jtured wl^ Z wJ! S«n .^T'.^f ""^ « 

exchanged over communication ItoeT^ **"^'»*«a«"««e«sfly transferred to Ae new 

ForeaseofiUustration,thefoIlowingsymbolscanbeused '*l«stin«-consuming to delete 

to lUustrate the logon process- '^"onfeduscB from the database than to add authorized 

Wiere: *« new one. To better protect tiie vkluabie infw- 

C=a client " <'««»«'ase. a password is required before access 

S=a server {**^<"»«'»«e«s granted. More iinwmnt, the database can 

E=a symmetric oyptosystem such as DBS r!!Xf a.T"."? ^'^\ ^* ««»ple, a server Sb can 

K=an enayption key generated from tiiesefyer name *"'i°8°° P"*"* f«wa«l the user ID to a 

« ^ o„ ^ ^ ^ „^ „ ^^"tt:^;^^'^:^^^,^^,^ 

Ra=a 64 bit random value generated by C ^l^J^^"" continues the chaBenge-response as if the 

f( )=a hash fiinction sud. as CRC to calculate tb^ siena- 45 SZ^^It'i^ 
ture uiaie me signa 4S datable serva Sc encrypts the one-way hashed passw<Kd 

g( )=a hash function such as CRC to calculate the signa- S ^^^sH^H^^^ff'^'^^ 

turcs ™ ™ Sb and Sc before sending it across the crivate 

UID=user IDs network. 

Kb=a 192 bit one way bashed kev retriev«i 1™, » • ""°P^.™ to iHlor art systems, flie design of this 
database ^ ^ ^ " * provides the saver a better oppammityto resyn- 

li8( )=a hash fiinction to manmulate die random nn„^ 7^"^^ if Ae first logon packet is invalid since the 

^ "-"PUi-ic me ranoom number receiver of die authenticating packet is in control of what is 

Rb=a 64 bit random value generated by S f,^* ° • * "Il5!f " ?" in the prior art the 

Dc=^Uent initial data ^ rccdva. If the secret key is invaUd, the 

iy=an initial chaining vector for encryption ^{ ' ?^ ^'^^ of packets 

Ks=a session encryption key ^ De received before the receiver can icsynchronize or 

Ds=scrvcr initial data ^ »c recover might have to use a timeout to itsynchroQize 

R'a^ha(Ra) ^ 

R'b=*b(Rb) ^""^y- logon protocol of the preforcd embodiment is 

The logon procedure may be listed as* ^^?.*^^f * cliait/servcr distributed environment, 

1. C to S: EK(R>4fiKa(RaJ(Ra.£(R;UTD)VfERrT7m^ T^- V^<=^1 allows both dicnt and server to 

2. S to C: ^^^(^:^^^*^«^^^)HER^ authenucate each othcx without sending the user password 

3. C to S: EKa(Rt>, Dc) ^^^f communication media and prevent intruders from 

4. S to C: EKb(IVJCs J>s) ^leting mseting, nnxiifying, or replaying the logon pack- 

ets. In addiliOT, if the logon proccdm-e fails at any point the 
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sc.errde«« an «soun« and dcsuoyseic connexion f^^^^^^:^^^. S^'^^'^ 

without sending the response paclrt at *at P^'Jf-'f^l ^^ appUcation 102. The final response packet is 

usa enters a wrong server j«me in the voy 1°^" SSiMd bylWt in the packet attribute, 

packet, nettling is sent out from ttie saver to prevent me ^ ^ message to the command 

usti. a potential intruder, frwn knowing anythmg about the 5 j^^^j^g^g^^f requester UO to request the communication 

server. Note ttiai this mutual auAentication teehnlquc ^^Jg ^^nbuning infwmaion of the read 2M and write 208 

requires the client machine to have a local CPU so that flie ^^^^^ ^ ^ associated resources. If die handle already 

passwwd wBl not be transmitted over the netwwk before ^ ^ request router 196 unmcdiat^ 

being encrypted. ^ „ ^ „ afta the requests 110 incrcmenU the aocws count of toe 

The cUent can now perform a mounting procedure to link lO ,iandic.However.ifthehandledoesnotexlstatlhattime.me 

a network resource on the swver to a virtual disk or it can requester 1» will load the ai^fopriate commumcatlon 
identify a network resource with the following format u^rary, allocate the tokens 284, 2« and thar f^J^ 
WservanameVnetnamecprotoooLTUefainiataUowslbedKnt resources, create a communic^n channel conslstmg« a 
towi^unicatewithanetworkdomainusinganysuppoited session write thread 20« to perform <^«^1»8«?- » 
^r^r^Acr this crotocol can be different ftom (he is session read thread 204 for the comim>mcaaon diannd 114 
S^f uS^perf^rrogTprocedure. Tliat is, the auto-logon is s«c«ssful, a.|d inaement *f "J^^".^' 
Src^-^S.proto^l^n^^Jor^ 

network domains. Hus ^ ^'^r^S^a IM^cvent^ that it can 

between a cUent and network domams. between a network ^^uie handle. When the access 

domainando.hernetworkdomainsusingmult.plecommu- "^^^ Sn pSod of time, the session 

oication protooob sunultaneously. .„ ^ ♦ manncpr nf the reauestcr 110 wiU drop the communication 

Referring to FIGS. 1 and 2, ^sc ^f^'^^l ^ 3^^^^"^ " 2^2«« 
interoonneaion betww« a dient an<J a serv«. HG. 2 .s a a to 
more detailed view of the system of FIO. 1. > ^^^^ ^e allocated upon demand and 

To perform a file transfer opemhon. an Wl«=«aon IM "^^'Xn no^ in use. RirthexXre, the request 
caUs a request router 106. THe request router first venfi« rf '^"Jof^^ ^stoTand format data in the appUcation 
theappUcationl02requestsalocalorremoteresource.Tl^ '^yj^^e^elju^rta m is communic^ with 
verifi^ooisperfor««dud^<«alm » J-^^'*^^,, 122. 124. 126 to better use the 

which the request router 106 obtams from me requester uw rputime. 

when the appUcation 102 is first started. „,.,^, The reouest router 106 can also perform any preparation 

If,heresourcelslo«l^erequestrout«lW«afl^ oJ^l^ Sr Se appUca^l02 request to the 

system function call to peifotm ttie request and returns the ?l teteTreaueXl the ownership of the write 

Ltrol to ttieapplicadonm However, tftoej^b « ^^««JJ^^^Xl^to acSbe write token 
remote, the request router W first ^^es^ood^to '^'^^^^^ ^,^^w,,,,,,^rcs^c^s 
see if the needed commnmcation handle is '^^^ f to MTelZuc^on IW at a time. Thus, it reduces the time 
the Ust. This communicationhandle contains mf«maUpo <rf f^'.^^J??^ iBfcrmation. With this method of 

the read 204 «id write 208 tokens (shown in FIG. 2) and '^^^^^Z^^ can be exchanged asyn- 
ihdr associated resources. If the communication handte is 40 ^'^l'^^^^^'^^ «rver with Lniimmi 
not found in me local Ust. the rce^ ^^^^^ ^S^r^^^SnLS.t ^on, request padccts 
messagctothcrequesterUOovertherequestchanneimto '^^J^'^ J" " tTf™^^ ^„ f„ iHocessing while flie 
obuun'the handle. Once tfic handle is obtained die ^est ^^^^^^^^^^ ^^^iJ^conLmio^ 
router 106 creates a response signal, r.e., a mm ^lM%»»veu4 over the network, 

^.sts the ownership °f ^jJl'Ss^S'lLS M^^Sd^^d^ssagT^er 130 are used 
response signal into die packet header, builds ap»** ,oc3 svrtem messages tranandtted in the system. Cur- 

^e appUcation-s 102requ«tin.c^^^^ r^SL^^-.! gl<*»l mo-ting table 132 are 

and signals the session wnte thread MMS of the commmuca- ""^^^ » „f system resources. The session 

routa leases the write token for use by another thnad m °^ '^^^^^'^^est 302I miSe^stem 
die same process or a different process. If me padxt wa^ S^SSSSTsL if^Tf^local resource m If so. a 
sent to the saver successfully, flie request router 106 waits 55 ^^^^t^to^un^ ^^^^j^^^ 

for me corresponding response packets 1^, " P^"= SSS ff a lo^ resource, toe systan creates a 

cause multiple response packets relumed fiom the sava. ''PP^*'"- " ? ^ -.^ response signal 306 cannot be 

When a responTpackct arrives, the ::SconSis^Sto^n^S.If itis.toentoe 

uses the response signal to teU ttie corrcspondmg reque^ ^^T^SS^fS IhclSmmumcation handle. If 
roma ttiat ijs espouse pad^ 'T^^^ " Sfco'S.L^n hlJie" not found 316. a communlo. 

die read token. M ttiat tune, the read tokM is "cesseo ""^Ti. obtained 318 ftom ttie requester and ttien 

exclusively by toedesignat«drequertrouta^^^^^ TnS if to^ ^ token iTrequested 320. However, if 

ttansfers data in toe response packet <Ur«^y » ^^"g'^ S^^lai«tio^dle U fo^d 316. toen ownership if 
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in the packet header 326, a request packet is built into the encrypted form so that only authorized personnel can view 

write token 328. the write thread sends die packet, and die die data. This is inqxHtant for sensitive business data, 

write token is released 332. If an am is detected when die personnel data, etc. Of course, the key to dooypt the data 

packet is sent, die response signal is destroyed 342 and n^ust be agreed to ahead of time or ^changed over some 

control is returned 344 to the application. If no errors occur 5 secured channels to protect the secrecy of die key. 

during packet liansmission 344, dicn die system waits 336 Of course, those skilled in die art will recognize diat die 

for die response packet die data in die response padoet is cq>ability of instructing die system 

transfored 338 into die appHcadon's buflfer, die read token encryption will be used. In dds case, no encryption 

is released 34#, die response signal is destroyed 342 and represenl a fourdi security level (security level 0). 

control is remracd 344 to die qjplication. Security level 1-3 having been discussed in regard to FIG. 

FIGS. 4A-C Ulustrate die memory layout of die packets ^- ^ 
used in die pffcfarcd embodiment FIG. 4A illustrates a P^S. 5A-B illustrate die packet queue structure used in 
packet as encrypted by security level 1. In security level 1, *c preferred embodiment FIG. 5 A illustrates the TCP/IP 
die packet header is encrypted using single DBS encoding! and NetBIOS comnumicadons structure and FIG. 5B illus- 
This level of security incurs the least amount of ovcdicad trates the SMODEM and SRS232 communications stnic- 
and is preferably used in more secure environments such as is ture. The oonqiressed buffer is a work buffer used to corn- 
LANs, press data prior to transmission through SMODEM or 

FIG. 4B illustrates a packet as encrypted by security level SRS232 oomnuinicadon lines. A packet header is placed at 

2. In security level 2, the packet header and data are the beginning of the read token and at the beginning of die 
enaypted using singtc DES encoding. This Icvd of security write token. In the preferred embodiment die read and write 
incurs sUghtty increased overhead as compared to security tokens arc stored in shared mcmoiy. 

level 1, but provides an increased leva of security for less ^ piG. 6 illustrates a configuraUon in whic^ multiple 

secure environments such as wide area networks, requesters 110 communicate widi a single server 602. 

FIG. 4C illustrates a packet as encrypted by security level piQ. 7 illustrates a configuration in whidi a single 

3. In security level 3. die packet header and the data are requester 110 communicates widi multq)le seavas 602. 
encrypted using triple DES encoding. This level of security piG. 8 illustrates a configuration in which a system 802 
incurs die most ovcriicad as compared to security levels 1 23 ^nd multiple servers 804 communicate widi one anodiei. 
and 2, but provides die higjiesl level of security for insecure piQ, 9 iUustrates a configuration in which multq)lc sys- 
environments such as public telephone networks. terns 802 and multiple servers 804 communicate widi one 

To protect data exchanged over oommunicatioo sessions, anodicr via modems 124 over phone lines 906 and also over 

die preferred embodiment provides two different encryption LANs 902 and wide area networks 904. This figure iUus- 

schemes available to die user at logon. The first schentt is 30 trates die alaUty of die system to interface widi multiple 

die US Department of Defense Data Encryption Standard communications protocols, 

(DES) and die second scheme is the triple-DES specified in piQ. 10 illustrates a configuration in which multiple 

die ANSI X9.17 and ISO 8732 standards but widi dffce requester systems 1002, multiple server systems 1004, and 

different keys. In addition, the preferred embodiment ^lies multqilc scrvcr/requestcx systems 1006 commuoicate widi 

die Gphcr Block C2iaining mode specified in die FIPS PUB 35 one anodicr. The configuration in tiiis figure is similar to diat 

81 to better protect die data. Once an encryption scheme is shown in FIG. 9. 

selected, data exchanged over all sessions connected to a FIGS. 11 and 12 illustrate a configuration in a server 1004 
network domain are encrypted regardless of die c<Mmnuni- ^^^j^ indudcs communication sessions 1120 to communi- 
cation protocols being used by die sessions. Theprice topaid ^ate widi requesters, encryptCT/deaypter 1128, read tiireads 
forAc encip^onisrmni^ ^^^^ 111^ ^ 
embodiment enoypte 500,000 bytes pa- second when run- ^ „ ^^^^ jU ^^^^ 
mng on aPentumi 66 MHz processor. The operating system and alks^padi storage 1104, U06, 1108. ITie 
used can be any suitable personal computer (M>erating sys- i'*^"*"" »^ f"-* ^^v-., uvv,^avo. . 
temsuchaMi<iosaftfmrwind^ oiched user, m and access p^ 1124 and die cached 
OS^ Warp CTM), Unix, etc. If die server is a large system, 9^ assoaated padi 1126 caches arc u«^ to store data 
any one of a number of suitable mainframe, (qwating system « ^ ^^^^ permission storage U06 and die alias and 
sc^are may be used. storage disks 1108 for improved system perfcvmance. 

In addition to die above encryption schemes, the prcfcned ^ protect resources on the network domains, an access 

embodiment employs a dynamic packet header todintque to control list (AQ-) is used fw each netwOTk domain in access 

provide extra securities based on die security Icvd selected permission storage 1106. The ACLs are managed by net- 

me user at logon. If a security level 2 is sdected, die so administrator to d^e to vtoA resources a user can 

packet header and data arc encrypted widi DES and Ac """^^^ and what fand of accesses die user ^ to each 

^t header is changed to 24^s to carry die CRC resource. Tlie system provides a sophisticated Att 

' 1 ^ *u ^Tit- j» J J X J. ^ a user cannot view or access any resources other than those 

^gnaturcs of the pa^ header aad data for ""th^hcaUoa jf^^ ^^^^ prions arc used by our 

However, if a secunty level 3 is selected, the packet header agS^* or j 

and data are encrypted with triple-DES using dote different 55 read FILE 

keys. Finally, if security level 1 is selected, the packet header WRTIEJILE 

remains at 16 bytes and no signature is verified for a better C!REAra_FILE 

perf wmance but the packet header is encrypted with DES to n ra rtp Pn j? 

provide security against other threads. Thus, thanks to die EXECUIB JUJS 

dynamic packet header technique, a user can setup different 60 CHANGE^JVITRIBUTE 

types of firewalls wherever he needs them For inrtance, die ACCESS_SUBDIR 

user can connect to his office from his home using security CR£ArEi_SUBDIR 

level 2 and setup his o£5ce machine to connect to anodier REMOVE^SUBDIR 

server widiin his <»:gaiiization using a lower security level to For eaiample, if die user is not permitted access to any 

gain a bctto: performance. 65 subdirectories from a network resource, die user will not see 

In order to provide better security, the prefeired embodi- any subdirectory at all when viewing the n^crk resource, 

meat allows the user to select if the data should stay in its If for some reasons the user knows a particular subdirectory 
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exists under the oetwoik resource, he cannot access it In the prior art the requester is the one that (ranslates and 

anyway. The management of nctworic rcsoiffces and user formats requests from the ^qjplications; thus, it cannot pcr- 

access permissions Is provided with a user-frieodly Gxt^jhi- foxm preparation ahead of tune. In addition, infcBmation 

cal User Interface application. Together with Ihc logon accumulating in one place could increase the search time, 

procedure, ACLs provide effective protections to the 5 The jmor art requires its intrinsics modules in \xAh the 

resources on the network domains. application and the requester which may require moic 

FIG. 12 is a more detailed view of the servo: 1004 of FIG. resources to be allocated and iiK>re machine instructions to 

11. A control manager 1122 within the server 1#M is be executed. Furthermore, the prior art docs not have the 

responsible for communication between the server 1004 and capability to accumulate multiple request packets from a 

other applications on the server 10O4 machine. Thus, the lo requester so diat the server can process the next padcet 

server 1004 can be informed if a database has been changed request while the previous response packet is traveling back 

by a resource control application. The server 1004 can also to Che requester on the nm^ork or being processed by 

accept a message from another application 102 to send to all conununication devices in their own memory buffers. 

<s sdected clients over active sessions. IF an electronic maU In contrast to &e prior art, the preferred embodiment 

system should be needed, the server 1004 can save the 15 contains the fomatting and translating code in just one 

message and wait until a client is logged on to send the place, the request router 106. Our requester only encrypts 

message over the session. Jo support these features, the packet headers and packet data If necessary and then calls 

control manager 1122 posts message or e-matl packets to the the transport functions to send the packets to the server. Id 

incoming packet queues 1206 of the sessions 1120. When addition, requester 110 is also responsible for saving logon 

the scrvo-processingthreads 1114, 1116 of the sessions 1120 20 and mounting inf<Hmation, managing the communication 

retrieves the packets from the queue 1206, it will process the sessions, and dclivoing response packets received from 

packets based on the packet types defined in the packet mult^le network domains to multiple request routers while 

headers. sending request packets to the multiple netwcffk domains. 

FIG. 13A-D illustrates the packet headers used in &e Requester 110 does not need to know the f<»mat of the 

logon procedure. A session k^ KS and an initialization 25 response data, and can deliver the response pad^ immc- 

vector IV are defined for a communication session b^een diately upon receiving (hem. The request routers 106 can 

a client and a server 1004 when security level 1 or higher is then format or dranslate the response data in the applications 

desired (in security level 0, no encryption is used). timeslices while the requesto* 110 is waiting for other 

FIG. 13E illustrates a nonnal packet such as those used incoming response packets or reading data from the oom- 

durlttg data transfer. When an e-mail or message packet is 30 munication devices 120, 122, 124, 126. Thus, the prefened 

sent, the preferred embodiment uses security level 2 by embodiment achieves better performance than the prior art 

default to protect (he messages. In security level 2, both The prior art also requires the intrinsic modules to trans- 

packet header and data are encrypted using single DES late and format the {plication data from a program stack 

eooyption. segment to a parameter block before sending it to its 

The requester also has the capability to signal request 35 requester where the data Is once again formatted or copied 

routers 106 of all applications 102 when a c(xnmunication into a data communication buffer. In contrast, the request 

session is terminated abnormally whether the request routers routers 106 in the preferred embodiment fonnat the appti- 

106 are sending request packets or waiting on response cation data only once and store the formatted data into the 

packets. In order to perform this feature, the response signals write token which will be used by the requester and the 

(Le., the return addresses stored in the request packets) arc 40 communication subsystem to send the request packets to the 

saved in response-signal queues by the session write thread server. When the response packets arrive, (he requester 110 

1116. Each communication session has a response-signal uses the response signals to tell the corresponding request 

queue 1206 to reduce the search time. When the re^nse routers that their resp<»iLse packets have arrived. At that time, 

packets are successfully delivered, their corresponding the request routers 106 transfer response data directly from 

response signals are removed from the queue by the session 45 the read tokens into the application buffers. Thus, the 

read threads 1114 of the ccHTcspondlng communication preferred embodiment eliminates the overhead of o^ying 

channels. If an application 102 terminates before its data between fflcmoiy buffers. 

response packets arrive, the response packets are discarded Fiuthamore, the prior art docs not have the dynamic 

and die response signals are also removed from the queue packet header feature to sui^X)>it packet authentication on 

after all diaining response packets have arrived. 50 demand. Neither does its server authenticate the requester to 

In addition, the read thread of the client session also prevent replaying of packets by intruders. The prior art also 

recognizes different types of packeu to determine whether it requires two different programs running on the server to wait 

should route the received padcets to the application's request for incoming data from different comnmnication (vx^ocols. 

router or to a message manager within the requester: The The preferred cmbodiiiicnt only requires the server to be 

message manager of tibc requester is responsible fca- message 55 started once for multiple conmumication protocols, 

and e-mail packets sent from the connected savers. This In genial, a session on the server 1004 will support 

feature is important because it allows the server to initiate multiple {plications on the requester, thus, a server 1004 

the sending of packets while a session is active. As an must somehow remember the resources allocated for the 

cxan^e, a hot-link can be defined so that a server can client applications so that these resources can be released 

infc^ die connected dients if a daubase should be changed 60 wfae&er the client applications terminate abnormally or the 

<s a server administratCH^ can send a message to all or conmuinicatiott sessicms are destroyed abnormally. Our 
selected clients telling them if a server should be out of server supports this feature in each session thread. Since the 

service shortly, etc. In a more advanced ^Ucation, an allocated resources are isolatedly remembered for different 

electronio-mail server application can be written so that the request^ the search time is minimum every time they are 

message packets are saved on the server until a dlent is 65 added or removed from the memorized list. In addition, 
logged on. At ttiat time, the server will send the saved security audit can be turned on and off by the nttwork 

messages to the connected client resource manager running on the server over the control 



11/12/2003, EAST Version: 1.4.1 



5,689^66 

13 



^ipphed m the auditing reques, pacl^ </re^^o« ^^i^^^'^'J'^.'^'^'^P^oftbcp^^Ti^ 

names are storedin tbe auditing^uest pactoLTHhe^ S*f^5*^''**'° ^*"°W»ted with a fai 

^ also be logged based on %u^sJ^mJ^ ^ , "Z"- "T"^ « «fc«lg» «o S outsSe 

««f«*ons. auea. or Dom 5 .ntnidets early m the verificaUon process. For intrudm 

n,i?«^f application is the one which deter- ^7^.,^^ ^ oiganization. the server name may be 

^ J,!" h"''^? be started on the host cen^S. ^s^^- " *^ P^ of «ogon^cto 

'S" ^""i"" to conn3^ 6*^»t random namber and the ORC 

^T^*°^"°''!l"'^'«=*^'"'"^ host »«va are the heart of the vcrificatirsk«ris 

^J^^^"^ embodiment, the session manag' ^""^Wed with the key genaated from theTe? mZdl^l 

applications. If the logon is succcwlul the j^S^^f! « * term key « generated with the X9.17 key 

server receiving thread to rt«iye Td a«Se .SSL f sS^ ^!!]:^"^ « ^on ^ 

packets in a packet queue so that they vriUbTSSi^ hv between two nodes on the netwoit nu,s, the 

the saver processing thread. When^ ^s^of^SS S^SS?*'^*=**°°'*y«"^*«P<»'«*e 

requestixjckctisreceived, the server rec«vi^g"anJZS ^%SlS^^ni^'T "f 

ing threads terminate themselves. However, tf the 2s dSv^^ff^M^^^^T"^ *^ ^""^ ™s< 

mcahon session is destroyed abnormally, the sff^er^^ hte fS^fSS^ f^, either 64 or 192 

mg ftread simulates a disconnect r^uest mckT^ 5e I^^^T ^ °° *^ "'^'"^ ^ «"^o'>- 

WCDdsittothepacketqueuetosignalttes^erSSsstef once when *e 

J^^.terminate.^eserve.re^^,^«S -^S'';^rusSSe"^br^1^ 

J::L"^;"c^.-2'rsLS'=5'th'?r^^^ " Ir^' - -'-^ ^--^ 

logon mentioned in the abovelparagraph. Tbc^^t% between nodes. In many cases, data nrnst 

receives a logon request fSTtegS^S^tft .W^^k'^.'"" oodes within an organization. Bor 

establishes the scssio!, itself and ^n So^S^'„» « ^r^' "«na«emcnt oIBcers within a private 

This is so done by the command iS^^^j!^^ " ^^^^ ZT'S^^'^^'^'^'^'^^l^ntil^^. 
not by the session 

c^uE^iKT. mwoD wunout leaks to their employees. 

SincerequestpackctsareacaimulatedintheDacfainu™,. ^j^f^^^^^^.^Hcationlayeralsoreduccsfliecostof 

requests to the same ho'st^^uteT ^ ^ '^'^ « 1^ " onT^mmuniS 

Tie prior art requires an application to send a function «ii k ' P«='«* *eo<«ing 

to the host compm« to eSshed a co^i^f^'J* ^Ss^oJ'tLT '° """^f •^««^ 
sion.OursystemestaWishesacoinmunicalion8esd«i^A^^ ^ messages. In addition to minimum 

requester when it receives a logon rt^uw T 1^1 l^^^ mawmum performance, security is also pr^ 
program or a request routoa^-nofel *: ^^ vided to protect the secret of the data. "^wo- 

and retranslate the request packets toi^wSoue^Z^ ^^t^^f?**^' " understood byAose 

before forwarding ftem tVte, r^Z^l^Z J^Z ^i^*"* ^ «»ay be made 

server when the network resou,^ to not^SS on H SfS^r^**'* ^ ^P"*- «<=opc. i.d leaeh! 

smer.TTmis.multlples«verscanbcc^2:,^±Xrt 55 tos c^ rSl^n^ /^.^^iSP''' «i«Vf encypdon 
shown in HGS. 7-10 to expand the arnowTof !^ -S^ ^ changed, algMithms used to generate the 

resources available to requ^. NonLTi"^^ mS'A'T'^ ^^^"^ the device i, be S^! 
requires the intenncdiate servers' adm^t^fnJ^ hardware or software, etc. Accortingly. the ^en- 

Jons in the AO. of th'e imcrn^^^^ ^''^'^ 'or a network, com- 

^^^^.'^Z^TZtL^Vrr. ^-r-e -tthecHentf^erom^^: 
advKcd when using this feature since logon user IDs and « i« means to communicate with .1 

passwords must be sent along with the raecnS^o ™^ 

Packets. * ™!"e« packet reception means to receive transmitted packet 

data from the server. 
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^neans to genoate awl transmit a first Pf^ *? *^ 
^er. least a portion of the first packet havfag a 
first packet header containing dient identifying 

.ilTSpt at least a portion of 
tifying inf omation in tlie first packet heada jrior to 

means to decrypt at least a portion of the dieiit aatben- 
•"^tiiSnation in a second packet heada and to 
detennine if the second packet is ftom Ae sffvef . the 
dlent further having means to tenmnate the wtn- 
munication if the second packet is from an invahd 

to generate and transmU a third packet to the 
server, at least a portion the third pacte having a 
third packet header containing session information, 

to enaypt at least a portion of 
information in the third packet header pnor to trans- 

missioa; and 
the scrvCT furtba conning: 

server conununicatioa means to communicate with the 

paSrec^pdoD means to receive tranfimitted packet 
daU from the client; 

means to deaypt at least a portion of the cUent «ten- 
tifying information in the first packet header and to 
d^aiine if the first packet is from a vahd chcnt, the 
server furtha having means to terminate the wm- 
munication if the first packet is from an mvahd 

m^'to generate and transmit a second padcet to the 
^nt in response to the fint packet, at 

the second packet having the second padcct headtr 

containing cUent authenticating infam^on; 
means toenW « least a portion of fte che«au*en- 

ticating information in the second packet heada 

rrior to transmission; and 
mwns to deaypt at least a portion of the session 

information in the third packet header; 

whereby, the client and the saver each verify fte vrii^^ 

of me other by transmitting encrypted IdenHfymg rnf or- 

ifturion to one another. . 

2 A security system, as in daim 1. ftatha compnsmfr 

means in the server to generate »^1«™^AL°^ 
to the diem in response to the third packet, the 

fwrlh pad«t having a packet header contaimng session 
infocmation; and _ 
means to enoypt at least a portion of the session mfor- 
^on in ^Tfourth pad«» heada prior to tnmsmis- 

3. A«cuiity system, as in daim 2. wherein: 

the dieat has a uscrid; 

Ae dient has a password; 

the first packet is encrypted by: 

concat»iiting a random mimber w a predetenmned bit 
c(»stant to form a value R; ^ , „ 

a CRC signature CI is generated from the vahie R and 

the*vail^ U used as a DES key to enay^Ae usai* 
the server name is used to generate a key K to en«jypt 

the value R; . u t.-^r 

the key Ka is generated by a one way hash funchon 

ftranlheuseiidandpasswoidjMd 
a random numba Ra and its CRC signature C3 is 

genaated, Ra and C2 are encrypted usmg key Ka. 
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40 
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4 A secwily system, as in daim 3. whcadn: 
the saver further comprises an enaypted dient password 
file; 

the second pa<±et is encrypted by: 
a key K2 U generated from the servo name and a one 
way hash Lotion to deaypt the padcet header of the 

the^ul^d'if decrypted using the deaypted value R 

frMn the packet heada; 
the decrypted usaid is used to access an authoizauon 

table to detamine if the first padcet IS vahd; 
the usoid is used to extract a one way hash^passwwd 

Kb from the enaypted cUent passwori file. *e 
password Kb is then used to deaypt values Ra. CI 

thc'^tlw Ra it manipulated via a i»cdetermined for- 
mula to produce a random numba R'a; 
a random numba Rb is genaaied by ^^^'^^^ 
R'a and Rb are enaypted with password Kb. iiwated 
into fee packet heada of the second packet and 
transmitted to the dient 
5. A bidirectional security system for a netwoik. oompns- 

at least one dient. *e dient furtha comprising: 
means to encrypt a first logon packei; 
means to transmit *e first logon packet to the sovo; 
means to decrypt the second logon packet; 
means W enoypt a third logon padtet with session 
infoimation; 
a server, further con^msing: 
means to decrypt the first logon packet; 
^ to en<T^ a second logon packet with dient 

authenticating information; 
means to transmU the second logon padcet to toe dient; 
means to decrypt the third logon padcet; and 
a communication diannd capable transmitting padcets 

between the dient midline and the server, 
wherd>y the client and sova can establish secure com- 
munteations by W-directionally transmitting encrypted 

data. • • 

6 A security system, as in daimS. furtha compnsmg. 

means to enoypt padBt data in le«t two ««ri»y»^«'*^ 
the first security Icvd having a first padErt enoyption 
scheme and the second security levd havmg a second 
padtet encryption scheme; 
whad>y the security syston can sdecubly enoypt packet 
date with at least two packet encryption schemes. 

7 Asecurity$ystan.asindaim6,fiirtbacomprisiBg: 
means to enoypt packet data at least three security levds, 
^.toSiy levd bavingathirdpadtct enoyption 

scheme; 

whaeby the secarity system am sdectably enoypt padtet 
data with at least three padcet encryption »diemes. 

8 Asecuiity system. as indaimT. wherein thefirstpacket 

cncwption sdieme is a single DES encryption. 

n^uiity system, as in daim 8. whoein the second 
packet aioyption sdieme is a triple DBS oicryption. 
10. A security system, as in claim 9, whoeu: 
the first pacts enoyption sdiane encrypts the packet 

heada information; and 
the second padtet enoyption sdicmc enoypte the padtet 

heada* information; 
the third padcet enoyption sdieme is ^J^^^J>^ 
enoypdSil^d furtba enoypts the packet heada and 
the packet data. 
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"c t;^'''™-'" ^ "^"'"^ 15. A meftod, as i. daim H Including ft. Anther 

mc server further comprises means to enciypt a fourth of; ^ 

JTn.'S r""" "^""^r «^g-foarthlogonpactou.ftcs«v«xwia.se«ion 

me cucnt further comprises means to decrypt the fomth information; 

logon packet. 5 , . , 

12. Asc^syflein.asi.claim9 whcreu,- ^s^^^ttrng the fourth logon packet to the dicnt; and 
die diem fioth^ coinprises means to enaypt data pack- the fourth logon packet in the dicn.; 

ets; and *^ session infonnaiion to control encryption of 

fte^er furtha comprises means to enoypt data pack- EST"' communicating between the dient and 

H„» * , A method, as in claim 15, including the further Step of 

data packets arc setectably encrypted using at least ooe of using at least two sdectable encryption schemes, includkE 

the seconty levels; and a first encryption scheme for a fast security level anTf 

means to dynamically adjust the size of the packet heada second cncryi«ion sdieme for a second security level 

based on die selected encryption scheme. 15 17. A method, as in claim 16, including the further stws 

13. A security system, as in claim 5, wherein: 

each client includes at least one appHcation jwogram; and ^ two communication channels to coimnuni- 

the server furthcx comprises at least one packet queue fcr ^ between mult^lc client and server, at least a first 

each client; communication channel having a first level of security 

whereby appUcation performance is improved by reduc ^ f ^^""^ communication channel having a 

ing packet search time. second level of secunty; and 

14. A method of securely transmitting packet data first encryption scheme fw the first commu- 
brtween a client and a server with encrypted packets, ^i^^^^n channel and the second encryption scheme for 
including the stq>s of: *e second communication channel. 

using at least one communiaition channel to transmit " , J*' ^"f^^f***^ 1^, including the fur^ 

packets between at least one client machine and at least "^LT^x:c^ encryption for the first level of security 

one sCTven ^ encryption for the second level of security 

enaypting in die client a first logon packet; of-^^' ^ "^"^ as in claim 18, including the further steps 

nr^!h'''fiSl'°''"^^^ "^packets which contain a header portion and a data 

decrypting the first logon packet in the server; portion; and 

encrypting a second logon packet in the server with client "^^g a third encryption scheme in which trmle DES 

authcnucating information; cnoyption is used for the packet header and me packet 
transmitting the second logon packet to the cliwit; 35 

decrypting the second logon packet in the dient; ^ method, as in claim 19, including the further steps 

encrypting in die client a diiid logon packet with session ^ ^ ^ ^ . 

informadon; seiectuig me enayption scheme based on the namre of the 

deciypting the third logon packet in the server- h ^"".^ 

whereby the client and server can establish «xure con. " '"^^1:^^^^^^ 

mumcaiions by hi-directionaUy transmitting encrypted encryption scheme. 

data. 
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ABSTRACT 



A system and method for data communication with adaptive 
security in which a send host transmits a data stream to a 
receive host in packets which contain an authentication data 
block with an authentication header and a signature block. 
Tlie authentication header advantageously contains various 
fields including a verification type, a security algorithm, a 
minimum security level, a target security level, and an actual 
security level. Hie receive host adaptively performs verifi- 
cation of the data packets using varying security levels based 
in part on the availability of security operations per second 
(SOPS) in the receive host Where a data stream in the 
receive host is delayed by a security processing bottleneck, 
the receive host may alter the verification type, security 
algorithm, or the actual security level to speed up the 
processing of the data stream by reducing the amount of 
security processing performed. The receive host further 
allocates the SOPS among the data streams received based 
on a priority assigned to each data stream. 

31 Claims, 8 Drawing Sheets 
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ADAPTIVE DATA SECURITY SYSTEM AND 
METHOD 
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APPUCAnONS 
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ProvisioDal patent application entitled "Authenticast: Adap- 
tive Protocol to Enable Strong Authentication in High- 
Perform ance Applications" filed on Oct. 28, 1997 and 
accorded Ser. No. 60/063^51, which is incorporated herein 
by reference. This application is also a continuation Scr. No. 
09/181^04 U.S. Pat. No. 6,108,583, having a priority date 
of Oct. 27, 1997, a filing date of Oct. 28, 1998, and issued 
on Aug. 22, 2000 to Schneck, et al. This application claims 
priority to and benefit of U.S. Pat. No. 6,108,583. 

This application is a continuation of application Ser. No. 
09,181,304, filed Oct. 28, 1997, now U.S. Pat. No. 6,108, 
583. 

STATEMENT REGARDING FEDERALLY 
SPONSORED RESEARCH OR DEVELOPMENT 

The U.S. government has a paid-up license in this inven- 
tion and the right in limited circumstances to require the 
patent owner to Ucense others on reasonable terms as 
provided for by the terms of DAAH04-96-1-0209 awarded 
by the U.S. Department of Defense. 

TECHNICAL FIELD 

The present invention is generally related to the field of 
data communications and, more particularly, is related to a 
system and method for securing data communication. 

BACKGROUND OF THE INVENTION 

Currently there is an exponential increase in the number 
of banks and other businesses that use the Internet to conduct 
transactions. The Internet is often a less expensive and less 
time consuming business medium than paper or the tele- 
phone. Electronic commerce and data interchange are 
increasing efficiency and giving companies a competitive 
edge in the global economy. With this growth in Internet 
electronic commerce, it becomes essential that greater secu- 
rity be provided for network-enabled transactions and col- 
laboration. 

The demand for information security is further elevated 
by the increasing prevalence of virtual private networks 
(VPNs), which are configurations by which private business 
is conducted over public media, such as the Internet. Sharing 
an existing pubfic communications infrastrucmre is far more 
cost-effective than building a separate network for every 
business. However, security is required to create this "pri- 
vate" logical network over existing public wire. To create 
this VPN, security operations are invoked at both the source 
and destination nodes to ensure properties such as 
confidentiality, integrity, and authentication, for proof of 
origination and non-nepudiation, of data. 

Although some Internet commerce appUcations have been 
developed, they do not provide sufficiently strong security 
for trusted transfer of private data over a public medium. The 
very essence of strong security is the notion that the secwity 
medium employed to protect data cannot be compromised in 
a sufficiently short time to allow use or alteration of those 
data by an unauthorized party. Therefore, data protection 
medianisms for strong security are required to be complex, 
and they thus have a high computation overhead which 
detracts from overall application performance. In the interest 



of performance, security procedures are often omitted. If 
Internet commerce applications are to succeed, they caimot 
compromise performance or security. In the best possible 
case, security mechanisms would be transparent to users, 
s However, so far, security in the world wide web security is 
poor. It is relatively few vendors that can delivery invisible 
security. The inherent tradeoflk in realizing both security and 
performance comprise the challenge we face in providing 
them. 

30 In addition, law enforcement officials are becoming 
increasingly dependent on the availability of real-time, net- 
work collaborative and shared applications. For example, 
police officers are assisted by real-time photos and data 
delivered directly to their vehicles. This often requires 
3^ strong authentication measures which are admissible in 
court as proof of origin, identity, and integrity of certain data 
and electronic evidence. The abihty to dynamically vary 
levels of authentication to match available resources and 
current requirements provides users of law enforcement 
applications options to employ strong security and use data 
as evidence while still receiving these data in a timely 
manner. This option was previously unavailable. 

In addition, the healthcare industry is another example of 
a business relying heavily on shared or collaborative appfi- 
cations to provide greater customer service. For example, 
electronic communications infirastructures such as the Inter- 
net facilitate and expedite potentially worldwide collabora- 
tion on x-ray images or case studies. These materials, 
however, contain personal data, and for patient privacy and 
safety, are often required to be encrypted, for confidentiahty 
and/or authenticated, for identification of the image. Again, 
security is necessary for these applications that enable the 
networked collaboration, yet the security could be detrimen- 
tal if it hampers the speed with which the information can be 
used to help the patient. 

SUMMARY OF THE INVENTION 

The present invention provides a system and method for 
facihtating adaptive security between a send host and a 
receive host. Briefly described, in architecture, the system 
includes a send host having a processor coupled to a data 
bus, a memory coupled to the data bus, an input device 
coupled to the data bus to input a desired security configu- 
45 ration for a data stream to be communicated to a receive 
host, and an output device coupled to the data bus to display 
the desired and actual security configurations for the data 
stream on an output display, the actual security configuration 
generally being received from the receive host. The proces- 
50 sor operates according to adaptive security logic stored on 
the memory which includes logic to generate a plurality of 
data packets associated with the data stream, the data 
packets including an authentication data block with an 
authentication header containing the actual security configu- 
55 ration and a signature. 

The system further includes a receive host which com- 
prises a processor, memory, data input, and data output, all 
coupled to a data bus. The data input is configured to receive 
at least one data stream comprising a number of data 
60 packets, the data packets including an authentication data 
block having an authentication header and a signature. The 
processor runs according to adaptive security logic stored on 
the memory. The adaptive security logic includes logic to 
decompose an authentication header in the data packets, 
65 logic to perform a variable percentage verification on the 
data packets from the data stream, and logic to determine an 
actual verification percentage performed based on a number 



20 



25 



30 



35 



40 



11/12/2003, EAST Version: 1.4.1 



us 6,510349 Bl 

3 4 

of available security operations, a minimum verification Moreover, in the drawings, like reference numerals desig- 

threshold, and a desired verification target, the minimum nate corresponding parts throughout the several views, 

verification threshold and the desired verification target piG. 1 is a functional block diagram of an data security 

being contained in the authentication header. The adaptive system according to an embodiment of the present inven- 

security logic also includes logic to verify the data packets s jjon; 

using delayed verification techniques. FIG. 2 is a block diagram of Ihe send host of FIG. 1; 

Tbe present invention can also be viewed as providing a piG. 3 is a flow chart showing the send host authcntica- 

method for communicatmg a data stream employmg adap- {omc of FIG 2* 

live security. In this regard, the method can be broadly „^ . . ^ - , , . „^ . 

summarized by the foUotdng steps: lO ^ ^ ^ ^^^S ^"^P^» ^^P^^y 2; 

identifying a desired verificaUon type, a desired security ^ ^ ^ drawing of an authentication data block 

, -^..if 1 J * * generated by the send host of FIG. 2: 

algorithm, a minunum secunty level, and a target ^ ^ * 

security level in a send host for communicating a data ^ ^ diagram of the receive host of FIG. 1; 

stream from the send host to a receive host; FIG. 7 is a flow chart showing the receive host authen- 

detcrmining an actual verification type, an actual security . lication logic of FIG. 6; and 

algorithm, and an actual security level in the receive FIG- 8 is a flow chart of a SOPS identification subroutine 

host based on the desired verification type, desired of FIG. 7. 

security algorithm minimum security level, Urget DETAILED DESCRimON OF THE 

security level, and an availability of a number of iMVPMnnM 

security operations per second (SOPS); ^ 

communicating the actual verification type, the actual Turning to FIG. 1, shown is a functional block diagram of 

security algorithm, and the actual security level from an authentication system 100 according to an embodiment of 

the receive host to the send host; the present invention. The authentication system 100 

generating a plurality of data packets associated with the „ "deludes at least one send host 103 and a receive host 106. 

data stream in the send host, the data packets having an Although only a single send host 103 is shown, it is 

authentication data block with an authentication tinderstood that multiple send hosts 103 may commumcate 

header, the authentication header containing the actual ^^^^ ^^^^^ ^^st 106, the single send host 103 being 

verification type, actual security algorithm, minimum ^^^^^ ^^r purposes of the foUowmg discussion. Likewise, 

security level, target security level, and the actual 30 ^« ^^^^^ ^^^^ communicate with multiple 

security level* receive hosts 106, the single receive host 106 being shown 

verifying the data packets on a percentage basis if the ^°'P!''^°^^ °f . following discussion as well, 

actual verification type is percentage based verification. Additionally, mulUple send hosts 103 may commumcate 

, I. J -r: *• L • c J ! with multiple receive hosts 106. 

the percentage based verification being performed at ^ 

the actual security level which is greater or equal to the 35 ^h^ send host 103 generates a data block 109 or receives 

minimum security level and less than or equal to the ^^^^ ^1°^^ ^ separate source to be communi- 

target security level* and cated to the receive host 106. Generally, the data block 109 

performing a delayed verification on the data packets if ^ °^ f predetermined length and may be formed, for 

the actual verification type is delayed verificatioa '''^"P'*' f™?" '."jJiT"^;*:' 'k? Tino t T'".^ 

rrt_ . ■ L J . c f by the send host 103. Tne data block 109 is formed as the 

The present mvenUon has numerous advantages, a few of^oy , , l • . ^ u ■ 

jv f. I 1 A oata payload m a packet to be communicated to the receive 

which are dehneated hereafter as merely examples. An . , ; „^ ^ . 

advantage of the invention is that it faciUtates more effective discussed. 

data security by allowing a receive host to adapt the security The data block 109 may include any type of data such as, 

level at whidi a data stream is verified based upon the ^^r example, but not Hmited to, audio, video, or other 

availabihty of host processor resources to provide security 45 computer data. The send host 103 also includes a key 113 

operations per second (SOPS) in the receive host. In this ^^ich may be a block of data of predetermmed length as is 

manner, data streams received by the receive host are not ^^^^n in the art. The key 113 may be a private key for 

delayed or lost clue to a security processing bottleneck signing the data, or a pubUc key for encryptmg the data as 

which can occur if multiple incoming data streams stress the known in the art. Note that other keys may be employed to 

security operation capacity of a particular receive host 50 accommodate different authentication or encryption algo- 

Other advantages of the invention include that it is user rithms. 

friendly, robust and reliable in operation, efiBcient in The send host 103 includes a signature generator 116 

operation, and easily implemented for mass commercial which generates a signature block 119 from the data block 

production. 109 and the key 113 using a predetennined security algo- 

Other features and advantages of the present invention 55 rithm which may be, for example, but not limited to, a 

wiU become apparent to one with skiU in the art upon security algorithm such as the Digital Signature Algorithm 

examination of the following drawings and detafled descrip- (DSA), the Rivest-Shamir-Adleman (RSA) algorithm, or 

tion. It is intended that all such additional features and secret key authentication, which are generally known in the 

advantages be included herein within the scope of the art 

present invention. 60 The send host 103 also includes an authentication header 

_ generator 123 which generates an authentication header 126. 

®^ ^^™?n7™p no'^Mr authentication header 126 includes various data fields, 

VIEWS OF THE DRAWINGS ^^^^ f^j. example, an authentication sequence number, 

The invention can be better understood with reference to data frame size, frame type, seciu-ity algorithm, verification 

the following drawings. The components in the drawings are 65 type, minimum security level, target security level, and an 

not necessarily to scale, emphasis instead being placed upon actual security level. The receive host 106 employs these 

clearly illustrating the principles of the present invention. data fields to generate an actual security configuration to 
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achieve autheatication of a data stream communicated firom are limited as delayed authentication exploits bashing tech- 

the send host 103. The actual security configuration is oiques that reduce a large amount of data to a relatively 

dynamic in that it may be changed by either the send host small amoimt which can be verified rather quickly. However, 

103 or the receive lk)St 106 during the course of data there is a greater probability of processing delay due to data 

communication therebetween in response to user or apph- 5 corruption as many data blocks are verified at once, which 

cation requiremeuts, or changes in computer resource avail- means that a single corrupted data block wotild require the 

ability as will be discussed. entire data block to be retransmitted for verification. 

The authentication header generator 123 may receive a When percentage based verification is employed, a pre- 

desired security configuration from the user input 129 or a determined percentage of signature blocks 119 and corre- 

default desired configuration may be received from a default spending data blocks 109 firom the data packets 143 are 

storage 133 for a particular data stream. The desired security accessed by a percentage authentication verifier 163 as 

configuration is displayed on a display device 136 along indicated by the first functional switch 149 being placed in 

with the actual security configuration which may ultimately P position. A second functional switch 166 provides 

be determined by the receive host 106 depending upon the access to a particular signature block 119 and corresponding 

specific desired security configuration specified by the user. ^^^^ ^P°° "^^^""^ verification is performed when 

Upon system startup, the default desired security configu- f^t Y P«^^f^°°* Oj^erwise, when the second funcUonal 

ration is obtained from the default storage 133 and displayed switch 166 is m the N posiUon, data block 109 is passed 

on the display device 133. Auser may Oien alter the desied °° "^'^^ ^^^'7 n n r""'"^' 159 without verification, the 

^ X . ^'tfi signature block 119 bemg discarded as shown. After a 

security configuration via the user input 129. ^^^^^^^^^ ^^^^ ^^^^^ ^ ^^^^^^ percentage authenti- 

The authentication header generator 123 generates the 20 cation verifier 163, the verified data block 109 is provided to 

authentication header 126 which contains the actual security receive data processor for further processing according 

configuration to be placed in an authentication data block to specific applicatioo. Note that the frequency or actual 

139, Together, the data block 109 and the authentication data security level at which the second functional switch 166 

block 139 make up a data packet 143 which is communi- provides access to the signature blocks 119 and correspond- 

cated to the receive host 106. The data stream is thus a 25 ing data blocks 109 is determined by the security monitor 

continuous stream of "signed" data packets 143, each data 169. Generally, the security levels as discussed herein refer 

packet 143 containing an authentication data block 139 with to the percentage of verified data packets in the receive host 

an authentication header 126 and a signature block 119. It 106. Tlic security monitor 169 also determines the verifica- 

may also be possible, however, that the data stream may tion typ^ as indicated by the first functional switch 153, as 

only contain a predetermined percentage of "signed" data 30 well as the specific security algorithm employed by both the 

packets 143 as desired by the user. The security configura- delayed authentication verifier 156 and the percentage 

tion identified in the authentication header 126 is initially authentication verifier 163. 

determined from the desired security specification and may The security monitor 169 attempts to specify an actual 
be altered based on feedback received from the receive host verification type, actual seciuity algorithm, and an actual 
106. Note that the user may alter the desired security 35 security level according to the desired security configuration 
specification after data communication is commenced received from the send host 103. However, the receive host 
between the send host 103 and the receive host 106. The 106 may not have enough processor time or security opera- 
receive host 106 may also alter the actual security configu- tions per second (SOPS) to provide the desired security 
ration based on the operating state of the receive host 106, configuration due to the verification of other data streams 
the altered security configuration being displayed to the user 40 which currenQy employ much if not all of the SOPS avail- 
on the display device 133. able in the receive host 106 at a given moment. 

The receive host 106 receives the data packet 143 and the Consequently, the security monitor 169 may force a change 

authentication header 126 is decomposed in an authentica- in the verification type, security algorithm, and/or the actual 

tion header decomposer 146 in which the above stated fields security level that differs from the desired security configu- 

are separated from the data packet 143 for use by the receive 45 ration received by the send host 103 in order to accommo- 

host 106. The receive host 106 then attempts to execute the date the data stream. 

desired security verification configuration contained in the In order to change the security algorithm employed, the 

authentication header 126. The receive host 106 may employ security monitor 169 sends the new security algorithm to be 

one of several verification types. In the preferred employed to the send host 103 via a return path, the 

embodiment, two specific verification types are used, 50 authentication header generator 123 implementing the new 

namely, delayed authentication verification and percentage security algorithm while changing the authentication header 

based verification, although other verification types may be to indicate the new security algorithm appropriately. The 

employed as well. security algorithm is changed in this manner because the 

When delayed authentication is employed, a predeter- generation of the signature block 119 is performed by the 

mined number of signature blocks 119 and corresponding 55 send host 103. 

data blocks 109 from the data packets 143 received are Likewise, a change in the verification type is effected by 

collected in a bundle 149 as indicated by a first functional the security monitor 169 by sending the new verification 

switch 153 which is placed in the D position. Thereafter, the type to the send host 103 via the return path. The new 

delay authentication verifier 156 operates on the bundle 153 verification type is then placed in the authentication header 

and verifies the data blocks 109 contained therein together 60 126 by the authentication header generator 123. When a data 

using appropriate hashing functions known by those skilled packet 143 containing the new verification type reaches the 

in the art. Delayed verification will verify one hundred receive host 103, then the security monitor causes the first 

percent of the data packets. Once verified, the data blocks ftinctional switch 153 to move to the D position to employ 

119 are then provided to the receive data processor 159 for delayed authentication verification in synch with the incom- 

further processing according to the specific application. 65 ing data packets 143 earmarked for such verification type. 

Delayed authentication is almost always available as a A change in the actual security level when percentage 

verification option, even when security processing resources based verification is employed may occur in the receive host 
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106 or the send host 103. In the receive host 106, the actual performing the various tasks as discussed herein, the pro- 
security level is raised or lowered based upon the number of cessor 206 operates according to the send host authentica- 
SOPS available in the receive host 106. It is understood that tion logic 229 stored on the memory 209. 
a lower secmty level requires a correspondingly lower Tuming next to FIG. 3, shown is flow chart which depicts 
number of SOPS to implement and vice versa. Note that the 5 the send host authentication logic 229. The send host au then- 
actual security level is not lowered below a predetermined ticaUon logic 229 begins with block 303 in which the desired 
minimum security level which is identified in the authenti- security configuration is determined and displayed on the 
cation header 126 so as to maintain a minimum amount of output display device 136 (FIG. 1). The desired security 
security. The actual security level determined by the security configuration may mchide the desired security algonthm, 
monitor 169 is communicated to the send host 103 for 10 ibe desired verification type, the minimum securitylevel, the 
display on the display device 136. ^^rget secunty level, and the actual security level. The actual 

^ v., jL.u ju* security level may initially be set equal to the target security 

The actual security level may be changed by the send host . , .-wu • l /^m u *l i •* 1 1 

^rt-. o c 11 i- . .1 level until the receive host 103 alters the actual secunty level 

103 by the user. Speaflcally, the user may adjust Uie actual ,^ ^^^^ ^^^^^^ processing resources to accom- 

secunty level v,a the user input 129. If the user adjusts the jj^^ ,,^/Th^ p^^annetcrs may initially 

actual security level to a pomt which the receive host 106 is i' ^ ^ c' •* * j *u 

. . , ^ t ^ r ^^T^r^ -1 1 -I* I be read from a default secunty parameters file saved on the 

unable to mamtam due to a lack of SOPS availability, the j , * j • ^ii^: /itto ^\ • i * j u .u 

. . ^rt, , . u- * data storage device 216 (FIG. 2) or simply entered by the 

receive host 106 may generally react by switching to . ,f ■ . • * r , • ^,^n ai ^ • 

. . , . , ^ t t 1 ? 1 user via the user input interface device 129. Also, dunng 

delayed venncation m which one himdred percent of the . _^ , ^ L • *. i i • ' p Z. 

, , .„ , . , , startup, a data stream prionty level is communicated from 

data packets are venfied as delayed venncation can gener- j u * . .u • u * u- u • ^ u 

- , . . , . r c^r^nc^A . on the scnd host 103 to the receive host 106 which is used by 

ally be performed with a mimmal number of SOPS due to ^^^^.^^ ^^^^ ^ allocating processor resources or 

the hashmg funcUons employed. g^pg ^^^^^ ^^^^ ^^^^^^^ ^^^^^^^^ ^^^^ 

Note that when the receive host 106 alters any security moment. Note that the priority level may also be included as 

parameter due to a lack of avaHable SOPS, the receive host ^ata field in the authentication header 126 (FIG. 1) and 

106 may store the previous desired parameters in memory so ^ay be altered by the user at the send host 103. The priority 

that the receive host may revert back to the previous desired i^^^i jg ^iso displayed on the display device 136. 

parameters when SOPS become available TTie^ parameters ^^^^^ ^ ^y^^^ 3^5^ the send host 103 (FIG. 1) estabhshes 

may mchide, but are not Imiited to, the desu-ed verification ^ ^^^^ communications link with the receive host 106 (FIG. 

type and the desired secunty algonthm. undergoing an initial training procedure in which the 

The receive host 106 includes a receive host input 173 in desired security parameters are communicated fi-om the send 

which a user may alter the actual security parameters manu- host 103 to the receive host 106. The receive host 106 

ally. The receive host 106 displays the desired and actual evaluates its capacity to verify the data packets 143 (FIG. 1) 

security configuraUon on the receive display device 173 to to be communicated according to the desired security 

be viewed by the user. configuration, and, if the receive host 106 has the necessary 

Note that the functionality of the send host 103 and the 35 available SOPS, the verification of the data stream is per- 

receive host 106 as described above and in the following formed according to the desired security configuration. If the 

discussion may be resident in a single computer system requisite SOPS are not available, then the receive host 106 

which may act as a send host 103 or a receive host 106 at any vvill determine and send an actual security configuration 

given time, depending upon whether the user is sending or back to the send host 103 if the desired security configura- 

receiving data. Further, a suigle computer system may tion allows such parameters to be varied by the receive host 

simultaneously act as a send host 103 and a receive host 106 106. The actual security configuration may include, for 

at the same time, communicating one or more data streams example, the actual security algorithm, the actual verifica- 

to a number of destination data cndpoints and receiving one tion type, and the actual security level. If the desired security 

or more data streams from other origination data endpoints. configuration does not allow such changes, then the data link 

All of the above functionality discussed herein is imple- 45 will be rejected by the receive host 106. The actual security 

mcnted at a user/application level as known in the art which parameters are then displayed on the output display device 

provides a distinct advantage as the present invention may 130 (FIG. 2), if the data stream is accepted by the receive 

be employed regardless of the underlying physical layer host 106. 

such as a network. The send host authentication logic 229 then progresses to 
Referring next, to FIG. 2, shown is block diagram of the 50 block 309 in which the data packets 143 (FIG. 1) are 

send host 103 according to an example embodiment of the assembled with the authentication data block 139 (FIG. 1) 

present invention. The send host 103 includes a computer which includes the authenlicalion header 126 (FIG. 1) and 

system 203 with a processor 206 and a memory 209 which the signature block 119 (FIG. 1). The signature block 119 

are elecU-ically coupled to a data bus 213. Also electrically (FIG. 1) is generated using the actual security algorithm 
coupled to the data bus 213 are a data storage device 216, an 55 which is the same as the desired security algorithm specified 

input interface 219, an output display interface 223, and a in the desired security configuration unless altered by the 

data communication interface 226. The input interface mod- receive host 106. The data packets 143 are communicated to 

ule 219 in turn is electrically coupled to a user input the receive host 106. 

interface device 129 such as a keyboard, mouse, or other Next in block 313, the send host authentication logic 229 
suitable device. Likewise, the output display interface 223 is 60 determines whether the desired security configuration has 

electrically coupled to an output display device 136 such as been changed by the user via the user input interface device 

a cathode ray tube (CRT) or suitable display device. The data 129 (FIG. 2). If such a change has been made, then the send 

storage device 216 may be a hard drive, floppy disk drive, host authentication logic 229 progresses to block 316. If not, 

fixed memory device, or other suitaWe means of data then the send host authentication logic 229 progresses to 
storage. The data communication interface 226 allows the 65 block 319. In block 319, the send host authentication logic 

send host 103 to communicate with the receive host 106 229 determines whether any of the actual security param- 

(FIG. 1) via a data commimications channel (not shown). In eters have been changed by the receive host 319. If such a 
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change has been made, ihen the send hosi authentication mouse which guides a pointer on the output display screen, 

logic 229 moves to block 316. In bloc^ 316, the desired and Next to the security thermostat 436 is an actual parameters 

actual security parameters displayed by the output display block 446 which shows an actual security algorithm 453 and 

device 136 are altered to reflect any changes made. an actual verification type 456. The actual security algorithm 

Thereafter, the send host authentication logic 229 reverts 5 453 and the actual verification type 456 are those dictated by 

back to block 309 in which the data packets 143 are the receive host 106 (FIG. 1) based on SOPS availability. If 

generated usmg the new secunty parameters. Accordmg to enough SOPS are available to implement the desired 

the preferred embodiment the actual secunty level may be p^^meters, then the parameters in the actual parameters 

altered by the send host 103 as mitiated by the user, for block 446 would mirror the desired parameters in the desired 

example, whereas the verification type and the secunty verificaUon type block 406 and the desired parameters block 

algorithm may not be changed by the send host 103 after the ^^j^ 

startup of data communication because the receive host 106 , ^ j. . ^ 

controls these parameters. addition, the output display screen 403 features a data 

• ui I am *u u * J . u Stream identifier block 459 in which includes a current data 

If m block 319, the receive host 106 does not change any , * . j^-^ ... 1 . 

f,, , , , *u ju . *u stream mdicator 463 with toggle buttons 466. The toggle 

of the actual secunty parameters, then the send host authen- . • . l 1 ir 

, . I i.1 1 I'^i L ' ^ buttons 466 increase or decrease the value in the current data 

ticatioo logic 229 progresses to block 323 where i! is , j- . ^^-^ . j . - ji- . a^-j 

J * • J L *u *i- * r *L J . * stream indicator 463. The cunent data stream mdicator 463 

determined whether the transmission of the data stream is • j- . *• 1 j . . c l- l 

, , ^, ^ ... ^ 1 * J 1. * mdicates the particular data stream for which parameters are 

complete. If the transmission IS not complete, the send host j - 1 j . . - • 1 ' am . 

^t, ^- 1 • i-^ft _* u 1 * ui 1 * displayed on the output display screen 403 at a given time 

authentication logic 229 reverts back to block 309 to con- . t, j l . ■ • . 

J - * J * 1 * If *i_ in which the send host 103 is commumcating two or more 

tinue to generate and commumcate data packets. If the j . . . ^ • l . 

• ' f *u J * ^ • 1 * • ui 1 I'^i ^ data streams to two or more receive hosts 106. 
transmission of the data stream is complete m block 323, 

then the send host authentication logic 229 ends. Thus, the ^h^ output display screen 403 includes a default configu- 
send host authentication logic 229 ultimately estabhshes an ^^^ion save button 469 which causes the current desired 
actual security configuration by which the data stream is security parameters as reflected in the desired verification 
communicated and reacts to any changes in the security ^ ^yP® ^^^^^ "^^^y ^he desired parameters block 419, and the 
parameters of the actual security configuration iniUated by security thermostat 436 to be saved to the data storage 
either the user or by the receive host 106. In this manner, the ^^"^^^^ 216. In the prefen-ed embodiment, this default con- 
security configuration adapts over time to facilitate optimum figuration is employed whenever a new data stream is 
data transmission speed while providing adequate security. mitiated, where the various default parameters may be 

With reference to FIG. 4, shown is an output display 30 ^^^^^^ 

screen 403 appearing on the output display device 136, The output display screen further includes a packet signed 

which may be a CRT, for example, or other suitable display percentage block 473 which indicates a percentage of data 

device or devices. The output display screen 403 includes a packets 109 (FIG. 1) for which a signature block 119 (FIG. 

desired verification type block 406 in which one may toggle . 1) ^ generated. This value may be less than one hundred 

between delayed verification 409, percentage based verifi- 35 percent when processor resources are stressed in the send 

cation 413, and automatic verification 416. Where delayed (P^. 1), thereby reducing the demand for proces- 

verification 409 or percentage based verification 413 are sor resources for the signature generation, 

chosen, the receive host (FIG. 1) is forced to employ the Finally, the output display screen features a priority 

desired verification type chosen and may not switch to an selection block 476 with a priority indicator 479 and priority 

alternative verification type. Where automatic verification 40 indicator toggle buttons 483. The priority of a particular data 

416 is chosen, the actual verification type can be determined stream may be chosen by the user by manipulating the toggle 

by the receive host (FIG, 1) based on availability of SOPS, buttons 483 with a button on a mouse (not shown). In this 

etc. Preferably, the receive host 106 wiU attempt to establish manner, one may alter the priority of the particular data 

percentage based verification before delayed verification stream. 

due to a greater reliability and a lesser susceptibility to 45 Turning then, to FIG. 5, shown is the authentication data 
delays, when the desired security configuration allows the block 139. The authentication data block 139 includes the 
receiver to select the verification type. Generally, delayed authentication header 126 with various data fields to corn- 
verification is employed when percentage based verification municate the various security parameters discussed previ- 
cannol be accommodated by the receive host 106. ously as well as additional parameters. It is understood that 

The output display screen 403 also includes a desired 50 the particular order and size of the data fields as shown 

parametersblock419 which displays a desired security level herein is as an example as other sizes and orders may be 

range which includes a minimum security level 423 and a employed. The authentication header 126 includes an 

target security level 426 which may be entered with the user authentication sequence number field 503 which uses bytes 

input interface 129 (FIG. 2) such as a keyboard for example. 0-16. The authentication sequence number field 503 is 

The desired parameters block 419 also includes a desired ss employed to keep track of the order in which data packets 

security algorithm 429 and a fixed block 433. The desired are authenticated and received. Next, a data frame size field 

parameters block 419 may offer a pull down list of sectuity 506 occupying bytes 17-20 is specified which indicates the 

algorithms within which one may chose a particular algo- size of the authentication data block 139. A frame type field 

rilhm to be employed. The fixed block 433 indicates whether 509 which occupies the 2V byte is specific to an encoding 

the receive host 106 may specify an actual security algo- 60 employed, for example, I, B, or P frames as in MPEG 

rilhm other than that chosen by the user as indicated by the encoding, which is known in the art. 

desired security algorithm 429. Next, a security algorithm field 513 is specified in byte 23 

The output display screen 403 also includes a security which indicates the actual security algorithm 513 employed 

thermostat 436 which includes a slide control 443 that by the receive host 106 (FIG. 1). In byte 24 is a verification 

indicates the actual security level 439 between the minimum 65 type field 516 which indicates the actual verification type 

and target security levels 423 and 426. Note that the slide employed by the receive host 106. In byte 25, a security 

control may be moved up and down with, for example, a level minimum field 519 is defined which indicates the 
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minimum security level or verification percentage to be data stream. Generally, such information is stored in a 

performed by the receive host 106. Note that the minimum tracking table in the memory 609 that may include values 

security level can not be changed by the receive host 106 so which indicate the data stream priority, an amotmt of SOPS 

that a minimum level of verification is maintained as desired necessary to maintain the minimum security level, the 
by the user. Next is a target security level field 523 which 5 amount of SOPS consumed to maintain the actual security 

occupies byte 25 and specifies the target security level. The j^vel, and the amount of SOPS necessary to achieve the 

target secunty level is set by the send host 103 while the ^^^^^ security level for each existing data stream received 

receive host 106 attempts to meet this level. The target ^ ^^^^-^^ ^^^^ -^he tracking table may also be stored on 

secunty level field 523 is followed by an actual secunty ^^^^ ^^^-^^ ^36 or other suitable storage device, 

level field 526 which occupies byte 26 of the authentication ^ , , . . . , - 
data block 139. The actual security level 526 may be '° Thereafter the receive host venficaUoD logic 619 

determined by the receive host 106 in Ugbt of available Prog«=sses to block 716 where the tracking table is consulted 

processor resources, or the user at the setKl host 103 may determme how many SOPS are avajable to accommodate 

manually change the actual security level 526 via the P°'™"'^ °7 ^""^ °' '^^ '^^"^'^ '^-Se m ihe 
security thermostat 436. Byte 27 is occupied by a priority „ ''^'"V ^'=""'5' .L'''*^^ particular, the receive host venfica- 

field 529 which holds the actual priority assigned to the data "^^""^^ '^^ "^^y """^'^^^J!^ ""^A 

stream. Finally, the signature block U9 foUows the priority '°*°y non-criUcal SOPS may be diverted from 

field 529 and is of variable length depending upon the the venflcauon processing of other data streams to facUitate 

particular security algorithm employed. P°'«f ^"^^'^.^'^^ "f""^ 
™ . , / * , . • . , 1 J- f security level. Non-critical SOPS are those used to perform 

Turamg next to FIG. 6, shown is a block diagram of the * l j c *■ * i i i 
• u . rr^ir^ -i\ in. • u *-ia*:' • ^ ^" * percentage based verification at an actual secunty level 

receive host 106 (FIG. 1). The receive host 106 is comprised l • ^ • * *u i i r 

c * \ u- u • 1 J /:a/: which IS greater than the minimum security level for a 

of a computer system 603 which includes a processor 606, , ? * ^ . ■ . i oi-^no 

J J* * • particular data stream. That IS to say, non-cntical SOPS may 

a memory 609, and a data communication interface 613. The l „ i- -^^ r . i 

rn/ J J . • . • . be diverted &om the verification processmg of a particular 
processor 606, memory 609, and data commumcation mter- j . * . ■* i i i_ 
r ^^-i 11 1 . • 11 1 J . J . u data stream and the mmimum security level can be mam- 
face 613 are all electrically coupled to a data bus 616. The r ^ ^ 

. J- . • 1. . •£ ^- tamed for that data stream, 
processor 606 operates according to receive host verification 

logic 619 stored on the memory 609. The data communica- receive host venfication logic 619 then progresses to 

tion interface 613 is adapted to be electrically coupled to a ^^lo^^^ "^^^ ^ ^hich it is determined whether there are 

number of channels 623 through which the receive host 106 enough unused SOPS and non-cntical SOPS as mdicated by 

may communicate with any number of send hosts 103. The ^« tracking table which may be diverted to accommodate 

receive host 106 further includes a data storage device 626, ^^w data stream or the secunty parameter change. If 

an input interface 629, and an output display interface 633, ^^^^ ^ ^^^^ ^^^^^^^ ^^^l verification logic 619 

all of which are electrically coupled to the data bus 616. The proceeds to block 723. If not, then the new data stream is 

input interface 629 is also electrically coupled to receive rejected and/or the security parameter change is not imple- 
hostinpulinterfacedevicel73suchasakeyboardormouse. „ ^^^^t^d and the receive host verification logic 619 reverts 

Similarly, the output display interface 633 is electricaUy *>ack to block 703. For example, if one attempts to increase 

coupled to the receive display device 176 which may be a actual security level by manipulating the security ther- 

CRT or other similar device. The receive display device 176 °^ostat 436 (FIG. 4), then the receive host 106 will attempt 

features the output display screen 403 (FIG. 4) to inform the faalitate the mcrease m the acmal security level. If the 

end user of the operation of the receive host 106. receive host 106 cannot achieve the higher secunty level 

Referring then, to FIG. 7, shown is a flow chart which ^^^^S percentage based verification, then the receive host 

depicts the receive host verification logic 619. Hie receive °lfy automaticaUy switch the venfication type to 

host verification logic 619 begins with block 703 in which delayed venficauon to accommodate a secunty level of one 

it is ascertained whether a parUcular send host 103 (FIG. 1) hundred percent. 

is attempting to establish secure data communication with 45 1° ^^^ck 723, the previously identified non-critical SOPS 

the receive host 106 (FIG. 1). If so, the receive host and any unused SOPS are diverted to accommodate the new 

verification logic 619 progresses to block 706 in which in data stream and/or the security parameter change. The 

which the receive host 106 is provided with the priority tracking table is updated with the new allocation for each 

value for the data stream and the desired parameters includ- altered data stream including the new data stream if one is 
ing the security algorithm, verification type, minimum and 50 implemented. Thereafter, the receive host verification logic 

target security levels, and an initial actual security level 723 progresses to block 726. 

which may equal, for example, the target security level. Referring back at block 713, if there is not change to the 
Thereafter, the receive host verification logic 619 proceeds security parameters, then the receive host verification logic 
to block 709. 619 proceeds to block 729 in which it is determined whether 
If in block 703 there is no new data stream to be received, 55 the communication of any current data stream has termi- 
then the receive host verification logic 619 proceeds to block nated. If such is not the case, then the receive host verifi- 
713 in which it is determined if any of the desired security cation logic 619 reverts back to block 703. If a current data 
parameters, specifically the actual security level, has been stream has ceased communication in block 729, then the 
changed by the user at the send host 103. If any security receive host verification logic 619 progresses to block 733. 
parameters have changed, then the receive host verification 60 ^^ock 733, the SOPS which were employed in processing 
logic 619 moves to block 709. the now tcnminated data stream arc reallocated to the exist- 
In block 709, the receive host verification logic 619 m data streams to maximize security for all of the data 
evaluates either the potential new data stream based on the streams. Thereafter, the receive host verification logic 619 
parameters received in block 706, or the change in the actual continues to block 726. 

security level or other security parameters detected in block 65 In block 726, the security parameters for all data streams 

713 to determine how many SOPS are required by the new which are new or altered due to the allocation or reallocation 

data stream or the security parameter change in an existing of the SOPS in blocks 723 and 733 are communicated to 
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iheir respective send host(s) 103. Next, in block 736, the 8), each of which comprise an ordered listing of executable 
verification of the data packets of the current data streams instructions for implementing logical functions, can be 
are performed according to (he security parameters deter- embodied in any computer-readable medium for use by or in 
mined for each data stream. Thereafter, the receive host connection with an instruction execution system, apparatus, 
verification logic 619 reverts back to block 703. 5 or device, such as a computer-based system, processor- 
Note that the receive host verification logic 619 operates comaining system, or other systena that can fetch t^^ 

, u- c u • *u . *- ^ons from the mstruction execution system, apparatus, or 

m a contmuous loop scarchmg for changes m the ^^^.^^ ^„ ^j^^ instructions. Id the ^ntext of this 

of the processmg of the data streams and rea^ to changes document, a "computer-readable medium" can be any 

by either rcallocatmg processor resources (SOPS) to accom- ^^^^ ^an contain, store, communicate, propagate, or 
modate a change, or rejecting such changes altogether and 10 ^^^^^^ program for use by or in connection with the 

maintaining the status quo. instruction execution system, apparatus, or device. The 

Finally, referring to FIG. 8, shown is a flow chart of the computer readable medium can be, for example but not 

non-critical SOPS identification subroutine 716. The sub- limited to, an electronic, magnetic, optical, electromagnetic, 

routine 716 executes the logical steps taken in identifying infrared, or semiconductor system, apparams, device, or 

non-critical SOPS with which to accommodate a change in propagation medium. More specific examples (a nonexhaus- 

security parameters of an existing data stream or to accom- live list) of the computer-readable medium would include 

modate a new data stream. Beginning with block 803, the the following: an electrical connection (electronic) having 

resource tracking table is consulted looking for predeter- one or more wires, a portable computer diskette (magnetic), 

mined existing data streams with a priority that is equal to a random access memory (RAM) (magnetic), a read-only 

or lower than the priority of the new data stream or the memory (ROM) (magnetic), an erasable programmable 

changed data stream are examined to determine the quantity read-only memory (EPROM or Flash memory) (magnetic), 

of non-critical SOPS in each. The predetermined number of an optical fiber (optical), and a portable compact disc 

lower priority data streams may be, for example, a pre- read-only memory (CDROM) (optical). Note that the 

defined number of data streams starting from the lowest computer-readable medium could even be paper or another 
priority up, or the predetermined number of lower priority ^ suitable medium upon which the program is printed, as the 

data streams may be determined at random. The predeter- program can be electronically captured, via for instance 

mined number of data streams examined may include all of optical scanning of the paper or other medium, then 

the lower priority data streams if there are not too many to compiled, interpreted or otherwise processed in a suitable 

examine. manner if necessary, and then stored in a computer memory. 

Next, in block 806 if a new data stream is sought to be Many variations and modifications may be made to the 

implemented, then the subroutine 716 progresses to block above-described embodiment(s) of the invention without 

809. If a new data stream is not to be implemented in block departing substantially from the spirit and principles of the 

806, then the subroutine 716 ends. In block 809, predeter- invention. All such modifications and variations are intended 

mined data streams with a higher priority than the new data to be included herein within the scope of the present 

stream are examined for non-critical SOPS. The predeter- invention. 

mined data sUeams examined may be, for example, a Therefore, having thus described the invention, at least 

specific number of data streams starting from the highest the following is claimed: 

priority down, or a random sampling of the higher priority 1. A send host employing adaptive security, comprising: 

data streams. The predetermined number of data streams a processor coupled to a data bus; 

examined may include all of the higher priority data streams a memory coupled to the data bus; 

if there are not too many to examine within an acceptable an input device coupled to the data bus to input a desired 

time period. Thereafter, the subroutine ends. security configuration for a data stream to be commu- 

Note that both the send host authentication logic 229 and nicated to a receive host; 
the receive host verification logic 619 of the present inven- 45 an output device coupled to the data bus to display an 

tion can be implemented in hardware, software, firmware, or actual security configuration for the data stream, the 

a combination thereof. In the prefened embodiment(s), both actual security configuration being received from the 

the send host authentication logic 229 and the receive host receive host- and 

verification bgic 619 are implemented in software or firm- adaptive security logic stored on the memory, the adaptive 

ware that is stored in a memory and that is executed by a 50 security logic including logic to generate a plurality of 

suitable instmction execution system. ^jata packets associated with the data stream, the data 

The flow charts of FIGS. 3, 7, and 8 show the architecture, packets including an authentication data block with an 

functionality, and operation of a possible implementation of authentication header containing the actual security 

the adaptive security software employed by the send host configuration and a signature. 

103 (FIG. 2) and the receive host 106 (FIG. 6). In this regard, 55 2. The send host of claim 1, wherein the adaptive security 

each block represents a module, segment, or portion of code, logic further comprises security thermostat logic to control 

which comprises one or more executable instructions for an actual security level, the actual security level being 

implementing the specified logical function(s). It should also inchidcd in the authentication header. 

be noted that in some alternative implementations, the 3. The send host of claim 1, wherein the adaptive security 

functions noted in the blocks may occur out of the order logic further comprises logic to place a minimum vcrifica- 

noted in FIGS. 3, 7, and 8. For example, two blocks shown tion percentage in the authentication header. 

in succession in FIGS. 3, 7, and 8 may in fact be executed 4. The send host of claim 1, wherein the desired security 

substantially concurrently or the blocks may sometimes be configuration is displayed on the output device. 

executed in the reverse order, depending upon the function- 5, The send host of claim 1, wherein the actual security 

aUiy involved, as will be fiirther clarified hereinbelow. 55 configuration is displayed on the output device. 

In addition, the send host authentication logic 229 (FIG, 6. The send host of claim 1, wherein the desired security 

3) and the receive host verification logic 619 (FIGS. 7 and configuration comprises a desired verification type, a mini- 
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mum verification percentage, a target verification 
percentage, a security algorithm, and an actual verification 
percentage. 

7. A receive host employing adaptive security, compris- 
ing: s 

a processor coupled to a data bus; 

a memory coupled to the data bus; 

a data communications interface coupled to the data bus, 
the data communications interface being configured to 
receive at least one data stream comprising a number of 10 
data packets, the data packets including an authentica- 
tion data block, the authentication data block having an 
authentication header and a signature; 

adaptive security logic stored on the memory, the adaptive 
security logic including logic including 
logic to decompose the authentication header in the 
data packets; 

logic to perform a variable percentage verification on 
the data packets from the data stream; and 

logic to determine an actual verification percentage 
performed based on a number of available security 
operations in the receive host, a minimum verifica- 
tion percentage, and a target verification percentage, 
the minimum verification percentage and the target 
verification percentage being contained in the 
authentication header. 

8. The receive host of claim 7, wherein the logic to 
determine an actual verification percentage further com- 
prises logic to determine the processor time availabUity by 
examining the at least one data stream received by the input 
device for a non-critical processor time usage. 

9. The receive host of claim 7, wherein the adaptive 
security logic further comprises: 

logic to perform a delayed verification on a bundle of data 
packets from the data stream; and 

logic to enable one of the delayed verification and the 
variable percentage verification based on a verification 
type field contained in the authentication header and on 
a number of available security operations in the receive 
host. 

10. The receive host of claim 7, wherein the adaptive 
security logic further comprises logic to maintain a resource 
tracking table which indicates the security operations 
required to accomplish the minimum security level, the 
target security level, the actual security level, and the 
priority level of a particular data stream. 

U. A send host employing adaptive security, comprising: 

means for inputting a desired security configuration for a 
data stream to be communicated to a receiver; 

means for displaying the desired security configuration 
and an actual security configuration for the data stream, 
the actual security configuration being received from 
the receiver; and 

means for generating a plurality of data packets associated 
with the data sueam, the data packets including a data 
block and an authentication data block having an 
authentication header containing the actual security 
configuration and a signature. 

12. A receive host employing adaptive security, compris- 
ing: 

means for receiving at least one data stream comprising a 
number of data packets, the data padcets incluxling an 
authentication data block, the authentication data block 
having an authentication header and a signature; 

means for decomposing the authentication header in the 
data packets; 
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means for performing a percentage based verification on 
the data packets from the data stream; 

means for determining an actual security level performed 
based on a number of available security operations, a 
minimum security level, and a target security level, and 
a desired actual security level, the minimum security 
level and the target security level being contained in the 
autl^ntication header; and 

means for commimicating the actual security level to a 
send host. 

13. The receive host of claim 12, wherein the means for 
determining an actual security level further comprises means 
for determining a processor time availability by examining 
a resource tracking table for a non-critical processor time 
usage of at least one existing data stream. 

14. The receive host of claim 12, fm-ther comprising: 
means for performing a delayed verification on a bundle 

of data packets from the data stream; and 
means for enabling one of the delayed verification and the 
variable percentage verification based on a verification 
type field contained in the authentication header and on 
a number of available security operations in the receive 
host. 

15. A method for communicating a data stream employing 
adaptive security, comprising the steps of: 

identifying a desired verification type, a desired security 
algorithm, a minimum security level, a target security 
level, and a desired actual security level in a send host 
for communicating a data stream from the send host to 
a receive host; 

determining an actual verification type, an actual security 
algorithm, and an actual security level in the receive 
host based on the desired verification type, desired 
security algorithm, minimum security level, target 
security level, and an availability of a number of 
seciuity processor operations; 

communicating the actual verification type, the actual 
security algorithm, and the actual security level from 
the receive host to the send host; 

generating a pluraUty of data packets associated with the 
data stream in the send host, the data packets having an 
authentication data block with an authentication 
header, the authentication header containing the actual 
verification type, actual security algorithm, minimum 
security level, the target security level, and the actual 
security level; 

verifying the data packets using percentage based verifi- 
cation if the actual verification type is percentage based 
verification, the percentage based verification being 
performed at the actual security level which is greater 
or equal to the minimum security level and less than or 
equal to the target security level; and 

performing a delayed verification on the data packets if 
the actual verification type is delayed verification. 

16. The method of claim 15, further comprising the step 
of altering the actual security level in the send host using a 
security thermostat. 

17. The method of claim 15, further comprising the step 
of identifying the availability of a number of security 
operations per second (SOPS) by identifying a number of 
non-critical SOPS employed by a plurality of second data 
streams received by the receive host, and by identifying a 
number of unused SOPS in the receive host. 

18. A computer program embodied on a computer- 
readable medium for operation in a send host to facilitate 
data communication with adaptive security, comprising: 
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logic to input a desired security configuration for a data auibenticaiion data blodc, the authentication data block 

stream to be communicated to a receiver; having an authentication header and a signature; 

logic to display a deared security configuration and an ^ ^ decompose the authentication header in the data 

actual secunty configuration for the data stream, the nackets* 

actual security configuration being received from the s . ' 

receiver; and logic to perform a percentage based verification on the 

logic to generate a plurality of data packets associated ^^^^ packets from the data stream; 

with the data stream, the data packets including an logic to determine an actual security level performed 

authentication data block having an authentication based on a number of available security operations, a 

header containing the actual security configuration and lo minimum security level, and a target security level, the 

a signature. minimum security level, the target security level being 

19. A computer program embodied on a computer- contained in the authentication header; and 

readable medium for operation in a receive host to facilitate i * - * ^ * % i* j 

\ , , . . logic to communicate the actual secunty level to a send 

data communication with adaptive secunty, comprismg: ^^^^ 

logic to receive at least one data stream comprising a 15 ^ « uj-j- 

^ . i. ij- 24. The computer program embodied m a modulated data 

number of data packets, the data packets mcluding an . , r i - ^ - i • ^ j . ^ . 

*L J * ui 1 *L *L ^- J * i_7 t signal of claim 23, wherein the logic to detennme an actual 
authenticaUon data block, the authentication data block . , . 
having an authentication header and a signature; '"='=""'5' ^^"""^ cojnpmes logic to detennine a pro- 
logic to decompose the authentication header in the data ^'^^^ Ume avadabd.ty by examimng said at least one data 
packets- ■ 20 s*^^"^ received by the input device for a non-critical pro- 
logic to perform a percentage based verification on the ^^^^J!™^ usage. . , . j 1 . j j . 

data packets from the data stream; . The computer program embodied m a modulated data 

, . ^ J , . ^1 * I 1 _f J Signal of claim 23, further compnsmg: 

logic to determine an actual security level performed ^ r o 

based on a number of available security operations in a ^^gi^ perform a delayed verification on a bundle of data 

receive host, a minimum security level, and a target ^ packets from the data stream; and 

security level, the minimum security level and the logic to enable one of the delayed verification and the 

target security level being contained in the authentica- variable percentage verification based on an availabil- 

tion header; and ity of computer resources and on a verification type in 

logic to communicate the actual security level to a send ^® authentication header. 

host. 26. A receive host employing adaptive security with 

20. The computer program embodied on a computer- respect to at least one data stream having a number of data 
readable medium of claim 19, wherein the logic to determine packeU received by the receive host, comprising: 

the actual security level further comprises logic to determine means for determining a number of available security 

a processor time availability by examining a resource track- operations in the receive host; and 

ing table for a non-critical processor time usage of at least means for allocating the number of available security 

one existing data stream. operations in the receive host to perform a verification 

21. The computer program embodied on a computer- of a number of the data packets in the at least one data 
readable medium of claim 19, further comprising: stream. 

logic to perform a delayed verification on a bundle of data 27. The receive host of claim 26, wherein the means for 

packets from the data stream; and determining a number of available security operations in the 

logic to enable one of the delayed verification and the. receive host further comprises means for determining the 

variable percentage verification based on a verification number of available security operations based upon a pri- 
type field contained in the authentication header and on . ority assigned to the at least one data stream, 

the number of available security operations in the 28. The receive host of claim 26, wherein the means for 

receive host. determining a number of available security operations in the 

22. A computer program embodied in a modulated data receive host farther comprises means for determining a 
signal for transmission across a network, the computer number of non-critical security operations. 

program being for operation in a send host to facilitate data 29. A method for employing adaptive security with 

communication with adaptive security, comprising: respect to at least one data stream having a number of data 

logic to input a desired security configuration for a data packets received by a receive host, comprising the steps of: 

stream to be communicated to a receive host; determining a number of available security operations in 

logic to display the desired security configuration and an the receive host; and 

actual security configuration for the data stream, the allocating the number of available security operations in 

actual security configuration being received from the 55 the receive host to perform a verification of a number 

receive host; and of the data packets in the at least one data stream. 

logic to generate a plurality of data packets associated 30, The method of claim 29, wherein the step of deter- 

with the data stream, the data packets including an mining a number of available security operations in the 

authentication data block having an authentication receive host further comprises the step of determining the 
header containing the actual security configuration and 60 number of available security operations based upon a pri- 

a signature. ority assigned to the at least one data stream. 

23. A computer program embodied in a modulated data 31. The method of claim 29, wherein the step of dctcr- 
signal for transmission across a network, the computer mining a number of available security operations in the 
program being for operation in a receive host to facilitate receive host further comprises the step of deteraoining a 
data communication with adaptive security, comprising: 55 number of non-critical security operations. 

logic to receive at least one data stream comprising a 

number of data packets, the data packets including an ♦ * ♦ ♦ * 
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